Resolves issue #1775, Fix vulnerability where the inUse lock is stripped during organization updates.

[david-rocca]

Closes Issue #1775

Summary

This PR addresses a vulnerability where non-sequential CVE ID reservations could bypass CVE ID quotas. Specifically, the inUse (and in_use) property, which acts as a lock during reservations, was not protected during organization updates. As a result, when an admin called PUT /api/registry/org/:shortname, the inUse property was overwritten and removed, prematurely clearing the lock. This PR adds inUse and in_use to the protected fields list to ensure the lock is preserved across updates.

Important Changes

src/repositories/baseOrgRepositoryHelpers.js

• Added inUse and in_use to the protectedFields array in processJointApprovalAndMerge to prevent them from being overwritten and dropped during organization updates.
  test/integration-tests/registry-org/registryOrgCRUDTest.js
• Added an integration test Preserves inUse and in_use properties across updates to verify that the inUse and in_use flags remain intact after a PUT /api/registry/org/:shortname update.

Testing

Steps to manually test updated functionality, if possible:

• 1) Attempt to reserve a non-sequential CVE ID while simultaneously sending a PUT /api/registry/org/:shortname request.
• 2) Verify that the PUT request does not clear the inUse flag in the MongoDB document mid-reservation.
• 3) Verify that the integration tests pass successfully (npm run test:integration).

Notes

• Both the legacy (inUse) and registry (in_use) fields were explicitly protected to ensure backwards and forwards compatibility across schemas.