SK-2839: Public Release - Harden against supply chain attacks (pin versions + ignore-scripts)

[saileshwar-skyflow]

Summary

• Pin all npm dependency versions — removes every ^/~ range specifier from package.json and replaces them with the exact versions currently resolved in package-lock.json (42 packages updated). Prevents a compromised minor/patch release from being silently pulled on the next install.
• Add --ignore-scripts to all CI install commands (npm ci in main.yml and pr.yml, npm install in common-release.yml) and create .npmrc with ignore-scripts=true as a project-level default for local installs. Blocks malicious postinstall hooks from executing.

Install-script safety audit

All 1,067 packages in the dependency tree were scanned for postinstall, preinstall, and install lifecycle scripts. Zero packages have such hooks — no native binaries, no compiled modules, no build-time setup. --ignore-scripts is unconditionally safe for this repo.

Files changed

File	Change
package.json	Exact-pin 42 dependencies using lock-resolved versions
.npmrc	Created — ignore-scripts=true
.github/workflows/main.yml	npm ci → npm ci --ignore-scripts
.github/workflows/pr.yml	npm ci → npm ci --ignore-scripts
.github/workflows/common-release.yml	npm install → npm install --ignore-scripts

No source files, no logic changes, no version upgrades.

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.