Explicitly pin versions of tool dependencies

[aj-stein-gsa]

This is a ...

improvement - something could be better

This relates to ...

• [X] the FedRAMP OSCAL Validations

User Story

As a FedRAMP Automation Team developer, to have precise understanding and control of my how source code and data are processed, I would like the build tool and how it executes npx oscal ... to use pinned versions and explicitly define which version CI/CD uses and not just the most recent version by use of the npx oscal use latest alias.

Goals

• [ ] Clearer understanding of what tools with which features are used
• [ ] Better security and stability guarantees for internal staff, contractors, and community members of what was built how
• [ ] Follow best practices with tools: even if slightly more work, prefer pinning over not pinning

Dependencies

N/A

Acceptance Criteria

• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.See the deep link to the current Makefile we need to change.
  • [ ] Ensure npx oscal use uses a specific oscal-cli version defined in the Makefile change
  • [ ] Additionally, choose to either 1) put the version explicitly after oscal@ with NPX or consider the use of a package.json and backing manifest file with npm install or npx (if supported) so that dependabot can update it simply but upstream releases

Other information

N/A

[aj-stein-gsa]

Sorry I will be the source of unfun security nerd requests I am happy to discuss, but will ping specifically @wandmagic for awareness.