From 00941027d7d63b92f0ac980fd99133d8a15d2fc1 Mon Sep 17 00:00:00 2001
From: Scott George <sgeorge74@gmail.com>
Date: Fri, 19 Dec 2025 15:24:59 -0500
Subject: [PATCH] Address security scan warnings

---
 .github/workflows/samples-ci.yml               | 2 ++
 javascript/webhooks-node/send-test-webhook.mjs | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/samples-ci.yml b/.github/workflows/samples-ci.yml
index cf3934d..22ac6e8 100644
--- a/.github/workflows/samples-ci.yml
+++ b/.github/workflows/samples-ci.yml
@@ -5,6 +5,8 @@ on:
   push:
     branches: [main]
   pull_request:
+permissions:
+  contents: read
 
 jobs:
   javascript-samples:
diff --git a/javascript/webhooks-node/send-test-webhook.mjs b/javascript/webhooks-node/send-test-webhook.mjs
index de24811..bf264e5 100644
--- a/javascript/webhooks-node/send-test-webhook.mjs
+++ b/javascript/webhooks-node/send-test-webhook.mjs
@@ -1,4 +1,5 @@
 import "dotenv/config";
+import crypto from "node:crypto";
 import { signPaywazWebhook } from "./sign-webhook.mjs";
 
 const SECRET = process.env.PAYWAZ_WEBHOOK_SECRET;
@@ -14,14 +15,14 @@ if (!SECRET) {
 
 // Spec-accurate example event matching your WebhookEvent schema
 const event = {
-  id: `evt_${Math.random().toString(16).slice(2)}`,
+  id: `evt_${crypto.randomUUID()}`,
   type: "payment.pending",
   eventVersion: "2025-01-01",
   livemode: false,
   createdAt: new Date().toISOString(),
   data: {
     payment: {
-      id: `pay_${Math.random().toString(16).slice(2)}`,
+      id: `pay_${crypto.randomUUID()}`,
       status: "pending",
       amount: "49.99",
       currency: "USD",