[Bug]: Package Install Command Should Ensure Lock Files are Used Only

[timnolte]

Description of the bug

The documentation specifies that either npm install or yarn install are call however, it is widely known that these calls can result in newer versions of packages being installed that meet the package.json version pattern requirements. It it generally best practice to use npm ci & yarn install --frozen-lockfile to ensure that only the versions specified in the lock files are what is actually installed.

• NPM: https://docs.npmjs.com/cli/v10/commands/npm-ci
• Yarn: https://classic.yarnpkg.com/lang/en/docs/cli/install/

If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.

Reproduction instructions

Setup a repository with this package with a minimal configuration and a lock file. Observe that patch releases may automatically be installed that are not what's listed in the lock file.

Expected behavior

When packages are installed they should only be the versions in the lock file.

Environment info

No response

Relevant log output

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[gmazzap]

This is configurable, but probably make sense to have this as default. Will get the opinion of some more frontend-savvy person than me.