diff --git a/api-server/.snyk b/api-server/.snyk
new file mode 100644
index 00000000000000..1f736485401833
--- /dev/null
+++ b/api-server/.snyk
@@ -0,0 +1,15 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.1
+ignore: {}
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  'npm:debug:20170905':
+    - loopback > debug:
+        patched: '2025-12-11T10:54:56.082Z'
+        id: 'npm:debug:20170905'
+        path: loopback > debug
+  'npm:ms:20170412':
+    - loopback > debug > ms:
+        patched: '2025-12-11T10:54:56.082Z'
+        id: 'npm:ms:20170412'
+        path: loopback > debug > ms
diff --git a/api-server/package.json b/api-server/package.json
index 2e6f6519fdd90a..c24dd970679eb2 100644
--- a/api-server/package.json
+++ b/api-server/package.json
@@ -25,7 +25,9 @@
     "common-setup": "pnpm -w run create:shared",
     "predevelop": "pnpm common-setup",
     "develop": "node src/development-start.js",
-    "start": "DEBUG=fcc* node lib/production-start.js"
+    "start": "DEBUG=fcc* node lib/production-start.js",
+    "prepare": "pnpm run snyk-protect",
+    "snyk-protect": "snyk-protect"
   },
   "dependencies": {
     "@freecodecamp/loopback-component-passport": "1.2.0",
@@ -53,7 +55,7 @@
     "jsonwebtoken": "8.5.1",
     "lodash": "4.17.21",
     "loopback": "3.28.0",
-    "loopback-boot": "2.28.0",
+    "loopback-boot": "3.1.1",
     "loopback-connector-mongodb": "5.6.0",
     "method-override": "3.0.0",
     "moment": "2.29.3",
@@ -74,7 +76,8 @@
     "stripe": "8.205.0",
     "strong-error-handler": "3.5.0",
     "uuid": "3.4.0",
-    "validator": "13.7.0"
+    "validator": "13.7.0",
+    "@snyk/protect": "latest"
   },
   "devDependencies": {
     "@babel/cli": "7.17.10",
@@ -85,5 +88,6 @@
     "@babel/preset-env": "7.18.0",
     "loopback-component-explorer": "6.4.0",
     "nodemon": "2.0.16"
-  }
+  },
+  "snyk": true
 }