[Bug]: npm command pinning warnings from OpenSSF Scorecard

[WilliamBerryiii]

Component

Scripts

Bug Description

OpenSSF Scorecard analysis identifies npm command pinning warnings in our repository. Unpinned package installations create security and reproducibility risks:

• Non-deterministic builds: npm install can resolve different dependency versions across runs
• Supply chain vulnerability: Unpinned global packages (@vscode/vsce) may install compromised versions
• Scorecard penalty: These warnings reduce our security score

Affected Files:

File	Line	Current Command	Issue
.devcontainer/scripts/post-create.sh	10	npm install	Should use npm ci
.github/workflows/extension-package.yml	56	npm install -g @vscode/vsce	Missing version pin
.github/workflows/extension-publish.yml	128	npm install -g @vscode/vsce	Missing version pin

Expected Behavior

1. Replace npm install with npm ci in devcontainer script (uses lockfile for deterministic installs)
2. Pin @vscode/vsce to version 3.7.1 in GitHub Actions workflows
3. OpenSSF Scorecard npm pinning warnings resolved
4. Deterministic, reproducible builds
5. Improved supply chain security posture

Steps to Reproduce

1. Run OpenSSF Scorecard analysis on repository
2. Review npm pinning warnings in output
3. Check referenced files for unpinned commands

Additional Context

Research documented in .copilot-tracking/research/20260115-npm-pinning-research.md