chore(build): add lint:dependency-pinning npm script for local validation

[WilliamBerryiii]

Summary

Add a lint:dependency-pinning npm script to package.json for local dependency pinning validation, and integrate it into the lint:all chain.

Problem

Developers have no local command to check dependency pinning compliance before pushing. The Test-DependencyPinning.ps1 scanner runs in CI but is not exposed as an npm script, unlike other linting tools (lint:md, lint:ps, lint:yaml, lint:frontmatter).

Implementation

1. Add npm script

In package.json, add to the scripts section:

"lint:dependency-pinning": "pwsh -NoProfile -Command \"./scripts/security/Test-DependencyPinning.ps1 -IncludeTypes 'github-actions,npm,workflow-npm-commands' -FailOnUnpinned\""

2. Update lint:all

Add lint:dependency-pinning to the lint:all script chain. Follow the existing pattern in package.json for how lint:all composes individual lint commands.

Acceptance Criteria

• npm run lint:dependency-pinning runs Test-DependencyPinning.ps1 with github-actions,npm,workflow-npm-commands types
• npm run lint:all includes lint:dependency-pinning in its chain
• Script exits with non-zero code when unpinned dependencies are found
• Script exits with zero code when all dependencies are pinned

Verification

1. Run the new script: npm run lint:dependency-pinning
2. Verify it produces the same output as running the PowerShell script directly:

   ./scripts/security/Test-DependencyPinning.ps1 -IncludeTypes 'github-actions,npm,workflow-npm-commands' -FailOnUnpinned

3. Run the full lint chain: npm run lint:all — verify dependency pinning is included
4. Intentionally add npm install -g some-package to a workflow file to confirm the script fails (then revert)

Dependencies

• Prerequisite: feat(scripts): add workflow npm command scanning to Test-DependencyPinning.ps1 #525 must merge first (scanner type must exist for the -IncludeTypes parameter to include workflow-npm-commands)

How to Build This

This is a simple configuration task using the task-implementor workflow. Even for straightforward changes, the RPI phases help verify assumptions and catch edge cases.

Workflow: /task-research → /task-plan → /task-implement → /task-review

Tip

Between each phase, type /clear or start a new chat to reset context.

Important

This issue depends on #525 — that PR must merge before this npm script can be added.

Phase 1: Research

Source Material

• This issue body
• #file:package.json (existing npm scripts)
• #file:scripts/security/Test-DependencyPinning.ps1 (script to wrap)
• #file:scripts/README.md (scripts documentation)

Steps

1. Type /clear to start a fresh context.
2. Attach or open the files listed above.
3. Copy and run this prompt:

/task-research topic="npm script wiring for PowerShell security validation"

Research how existing npm scripts in package.json invoke PowerShell validation scripts.
Investigate:

1. The naming convention for lint scripts (lint:md, lint:ps, lint:yaml, lint:frontmatter patterns)
2. How PowerShell scripts are invoked cross-platform (pwsh vs powershell, path handling)
3. What arguments Test-DependencyPinning.ps1 expects and how its output is directed
4. Whether a lint:dependency-pinning script exists already or if similar wiring patterns
   can be reused from lint:ps or test:ps

Output: Research document at .copilot-tracking/research/{{YYYY-MM-DD}}-dependency-pinning-npm-research.md

Phase 2: Plan

Source Material

• Research document from Phase 1

Steps

1. Type /clear to start a fresh context.
2. Open the research document from Phase 1.
3. Copy and run this prompt:

/task-plan

Create an implementation plan for adding the lint:dependency-pinning npm script
to package.json. The plan should specify the exact JSON to add and confirm the
PowerShell invocation pattern matches existing lint scripts.

Output: Plan at .copilot-tracking/plans/ and details at .copilot-tracking/details/

Phase 3: Implement

Source Material

• Plan from Phase 2

Steps

1. Type /clear to start a fresh context.
2. Open the plan document from Phase 2.
3. Copy and run this prompt:

/task-implement

Implement the lint:dependency-pinning npm script addition to package.json following
the plan. Ensure the script invokes Test-DependencyPinning.ps1 using the same pattern
as other lint scripts.

Output: Modified package.json, changes log at .copilot-tracking/changes/

Phase 4: Review

Source Material

• Plan from Phase 2
• Changes log from Phase 3

Steps

1. Type /clear to start a fresh context.
2. Open the plan and changes log.
3. Copy and run this prompt:

/task-review

Review the lint:dependency-pinning npm script addition. Verify:
- Run `npm run lint:dependency-pinning` to confirm the script executes
- Check that package.json maintains valid JSON structure
- Confirm the script follows naming conventions used by other lint commands
- Verify the lint:all script includes the new command (if applicable)

Output: Review log at .copilot-tracking/reviews/

After Review

• Pass: All criteria met. Create a PR referencing this issue.
• Iterate: Review found issues. Run /clear, return to Phase 3 with the review feedback.
• Escalate: Fundamental design issue discovered. Run /clear, return to Phase 1 to research the gap.

Authoring Standards

• npm scripts use the lint: prefix for validation commands
• PowerShell invocation uses pwsh -NoProfile -NonInteractive -Command pattern
• JSON formatting matches the existing package.json indentation

Success Criteria

• npm run lint:dependency-pinning executes Test-DependencyPinning.ps1 successfully
• package.json remains valid JSON
• Script naming follows the lint: convention