chore(ci): enable npm pinning enforcement in dependency-pinning-scan workflow

[WilliamBerryiii]

Summary

Update the dependency-pinning-scan.yml reusable workflow to include npm and workflow-npm-commands dependency types in the default scan, enabling CI enforcement of npm command pinning across all pipelines.

Problem

The dependency-pinning-scan.yml reusable workflow defaults dependency-types to 'github-actions' only. No caller overrides this default:

• .github/workflows/main.yml — omits dependency-types
• .github/workflows/pr-validation.yml — omits dependency-types
• .github/workflows/weekly-security-maintenance.yml — omits dependency-types

This means npm dependency pinning and workflow npm command pinning are never checked in CI — even though the scanner supports these types.

Implementation

1. Update default parameter

In .github/workflows/dependency-pinning-scan.yml, change the dependency-types input default:

dependency-types:
  description: 'Comma-separated list of dependency types to check'
  required: false
  type: string
  default: 'github-actions,npm,workflow-npm-commands'

2. Verify callers inherit the default

Confirm none of these callers explicitly override dependency-types with a value that excludes the new types:

• .github/workflows/main.yml
• .github/workflows/pr-validation.yml
• .github/workflows/weekly-security-maintenance.yml

Currently none pass dependency-types at all, so the updated default propagates automatically.

3. Threshold considerations

The existing 95% compliance threshold and -FailOnUnpinned behavior remain appropriate. After prerequisite issues are resolved, all npm commands should be compliant, so no threshold adjustment is needed.

Acceptance Criteria

• dependency-pinning-scan.yml default dependency-types updated to 'github-actions,npm,workflow-npm-commands'
• pr-validation.yml inherits the updated default (merge-blocking enforcement)
• main.yml inherits the updated default
• weekly-security-maintenance.yml inherits the updated default
• CI passes with 0 npm pinning violations

Verification

1. Check workflow syntax: actionlint .github/workflows/dependency-pinning-scan.yml
2. Trigger a PR validation run — the dependency pinning job should now scan github-actions, npm, and workflow-npm-commands types
3. Verify the scan produces a clean report with 0 npm violations

Dependencies

• Prerequisite: feat(scripts): add workflow npm command scanning to Test-DependencyPinning.ps1 #525 must merge first (scanner type must exist before CI can use it)
• Prerequisite (transitive): fix(build): resolve Pinned-Dependencies alerts for vsce npm commands in extension workflows #457 remediation must merge before this change, otherwise CI immediately fails on existing violations