story: refactor Node dependency pins

[wesley-dean-flexion]

Describe the User Story

As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate, npm audit, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).

Acceptance Criteria

• [ ] dependency specification removed from Dockerfile, GitHub Action workflow files, etc.
• [ ] dependency specification added to a separate mechanism designed for specifying dependencies (e.g., package.json) #324
• [ ] dependency management tooling updated to scan the dependency specification
• [ ] workflow continues to function as it did previously (i.e., don't break anything)
• [ ] support the composite action mechanism from #257

Definition of Done

• [ ] Acceptance criteria met
• [ ] Usability tests passed - this user story should be easy to use by real users
• [ ] Code refactored for clarity - code must be clean, self-documenting code
• [ ] Dependency Rule followed - higher-level code should not depend directly on lower-level code
• [ ] Source code merged
• [ ] Unit test coverage of our code > 90%
• [ ] Security reviewed and reported - includes vulnerability and compliance scanning
• [ ] Code quality checks passed
• [ ] Build process updated if needed
• [ ] API documentation updated if needed

Additional Information

If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"

steps:
- uses: actions/setup-node@v4
- run: npm ci

This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from

RUN npm install ...

to

WORKDIR /destination/
COPY file /destination/
RUN npm ci

Related Feature Request

257