Harden supply chain security settings

[kmcginnes]

Description

Adds pnpm supply chain hardening settings and tightens the Dockerfile and CI install steps based on a review of npm security best practices.

• strictDepBuilds: true — Fail pnpm install if any dependency tries to run a build script that hasn't been explicitly allowed. core-js is added to ignoredBuiltDependencies to suppress its sponsorship postinstall.
• onlyBuiltDependencies: [esbuild] — Explicitly allow the esbuild postinstall script, which installs the platform-specific binary.
• blockExoticSubdeps: true — Prevent transitive dependencies from resolving to git repos or raw tarball URLs.
• trustPolicy: no-downgrade — Refuse to install a package version whose publish-time trust evidence (provenance, signatures) is weaker than a previously published version.
• --frozen-lockfile on both Dockerfile install steps and the CI unit test workflow, ensuring deterministic installs.
• --ignore-scripts kept on the production install in the Dockerfile as defense-in-depth.
• Documentation added to docs/development.md explaining the supply chain settings and what to do when pnpm install rejects a dependency.

Validation

• pnpm install --frozen-lockfile succeeds locally with all new settings
• No changes to application code or tests

Related Issues

None

Check List

• I confirm that my contribution is made under the terms of the Apache 2.0 license.
• I have verified pnpm checks passes with no errors.
• I have verified pnpm test passes with no failures.
• I have covered new added functionality with unit tests if necessary.
• I have updated documentation if necessary.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.58%. Comparing base (c5affc5) to head (1085afc).
⚠️ Report is 123 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1652       +/-   ##
===========================================
+ Coverage   47.81%   72.58%   +24.76%     
===========================================
  Files         382      408       +26     
  Lines        8525    12265     +3740     
  Branches     3159     3518      +359     
===========================================
+ Hits         4076     8902     +4826     
+ Misses       3070     2343      -727     
+ Partials     1379     1020      -359     

Flag	Coverage Δ
unittests	72.58% <ø> (+24.76%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.