chore(deps): pin CodeMirror dependencies and add automated pinning check

[ArtieReus]

Summary

This PR pins all CodeMirror dependencies in the Greenhouse app and introduces an automated CI/CD check
to prevent unpinned dependencies from being introduced in the future. This is a security hardening
measure to protect against supply chain attacks where malicious code could be injected through
automatic dependency updates.

Changes Made

• Pinned CodeMirror dependencies in apps/greenhouse/package.json (removed ^ prefixes)
  • @codemirror/lang-yaml: ^6.1.2 → 6.1.2
  • @codemirror/language: ^6.12.2 → 6.12.2
  • @codemirror/state: ^6.5.4 → 6.5.4
  • @codemirror/theme-one-dark: ^6.1.2 → 6.1.2
  • @codemirror/view: ^6.39.15 → 6.39.15
• Added automated dependency pinning check script (.github/scripts/check-pinned-dependencies.js)
• Created standalone GitHub Actions workflow (.github/workflows/check-dependency-pinning.yaml)
• Integrated pinning check into existing CI checks matrix (.github/workflows/ci-checks.yaml)
• Added npm script check-pinned-deps to root package.json for local testing
• Created comprehensive documentation (.github/scripts/README-DEPENDENCY-PINNING.md)

Related Issues

Why This Matters:
Version ranges (^, ~, >=) allow package managers to automatically install newer versions, which
can introduce malicious code through supply chain attacks.

Historical Examples:

• event-stream@3.3.6 - Bitcoin wallet stealer injected via compromised dependency
• ua-parser-js@0.7.29 - Cryptominer backdoor affecting 9M+ weekly downloads
• coa@2.0.3 - Password stealer in widely-used package

Screenshots (if applicable)

Testing Instructions

1. pnpm install --frozen-lockfile
2. pnpm run check-pinned-deps - Should pass with no errors
3. node .github/scripts/check-pinned-dependencies.js - Direct script execution
4. Test violation detection (optional):

Create test file with unpinned dependency

echo '{"dependencies":{"test":"^1.0.0"}}' > test-package.json
node .github/scripts/check-pinned-dependencies.js # Should fail
rm test-package.json
5. Verify CI check is added to matrix:
grep -A 2 "dependency-pinning-check" .github/workflows/ci-checks.yaml

Checklist

• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have made corresponding changes to the documentation (if applicable).
• My changes generate no new warnings or errors.
• I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

[changeset-bot]

🦋 Changeset detected

Latest commit: 63dd608

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@cloudoperators/juno-app-greenhouse	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR