Merge pull request #568 from docker/sec-cli/npm-ci-20260612-184913

fix: replace npm install with npm ci (20260612-184913)

dev.Dockerfile

@@ -17,7 +17,7 @@ FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
-  yarn install && mkdir /vendor && cp yarn.lock /vendor
+  yarn install --immutable && mkdir /vendor && cp yarn.lock /vendor
 
 FROM scratch AS vendor-update
 COPY --from=deps /vendor /

dist/licenses.txt

@@ -1792,12 +1792,11 @@ SOFTWARE.
 
 -----------
 
-The following npm packages may be included in this product:
+The following npm package may be included in this product:
 
  - js-yaml@4.1.1
- - js-yaml@4.2.0
 
-These packages each contain the following license:
+This package contains the following license:
 
 (The MIT License)
 

package.json

@@ -25,7 +25,7 @@
   "dependencies": {
     "@actions/core": "^3.0.1",
     "@docker/actions-toolkit": "^0.91.0",
-    "js-yaml": "^4.2.0"
+    "js-yaml": "^4.1.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.3",

yarn.lock

@@ -2843,7 +2843,7 @@ __metadata:
     eslint-plugin-prettier: "npm:^5.5.5"
     generate-license-file: "npm:^4.1.1"
     globals: "npm:^17.3.0"
-    js-yaml: "npm:^4.2.0"
+    js-yaml: "npm:^4.1.1"
     prettier: "npm:^3.8.1"
     typescript: "npm:^5.9.3"
     vitest: "npm:^4.0.18"
@@ -4000,17 +4000,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"js-yaml@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "js-yaml@npm:4.2.0"
-  dependencies:
-    argparse: "npm:^2.0.1"
-  bin:
-    js-yaml: bin/js-yaml.js
-  checksum: 10/51de2067a2b44b07ba5206132e56005f8b568ff279bb4d2f645068958c56fa4827d40a6841c983234671fa0a134bf094d0b0717873c2a3d319185297af145a6d
-  languageName: node
-  linkType: hard
-
 "jsbn@npm:1.1.0":
   version: 1.1.0
   resolution: "jsbn@npm:1.1.0"