Add npm lockfile for auditability #24
Description
Problem
npm packages (markdownlint-cli2, biome, stylelint) are installed by version but without a committed package-lock.json. While npm verifies registry integrity, there is no lockfile tracking the exact resolved dependency tree. A compromised transitive dependency at the same version could slip through.
Proposal
Generate and commit a package-lock.json for each image that uses npm packages. Use npm ci instead of npm install -g in the Dockerfile to install from the lockfile.
This would need some investigation into how to reconcile global installs with a lockfile (possibly install from a local package.json then symlink binaries).
Context
Flagged by both reviews. All GitHub-hosted binaries already have per-arch SHA256 verification — npm packages are the remaining gap.