npm dependency pinning uses exact-version enforcement instead of SHA-pinning

[WilliamBerryiii]

Scope Change Documentation

PR #838 introduces npm dependency pinning enforcement with a strategic departure from the SHA-pinning model used for GitHub Actions.

Decision

npm dependencies are validated using exact-version enforcement (X.Y.Z with no ^, ~, *, or range operators) rather than SHA-pinning (40-character commit hashes).

Rationale

Factor	GitHub Actions (SHA)	npm (Exact Version)
Registry model	Git repositories with mutable tags	Immutable registry artifacts
Integrity verification	SHA pins to specific commit	Lockfile integrity hashes (SHA-512)
Audit compatibility	N/A	npm audit requires semver versions
Reproducibility	SHA guarantees exact code	Lockfile + exact version guarantees exact code
Human readability	40-char hex strings	Semantic version numbers

Validation

The scanner enforces exact versions with the regex ^\d+\.\d+\.\d+$. Any version specifier using ranges (^1.0.0, ~1.0.0, >=1.0.0), wildcards (*, latest), or other non-exact formats is flagged as a violation.

Implementation Details

• Scanner: scripts/security/Test-DependencyPinning.ps1 — $DependencyPatterns.npm type with VersionPattern regex
• Documentation: docs/security/dependency-pinning.md — Full rationale with SHA vs exact-version comparison
• Tests: 100 Pester tests including 8 SARIF integration tests validating severity mapping and output structure
• PR: feat(build): enable npm pinning enforcement in dependency scan #838

Follow-Up Items Delivered in #838

1. pip ExcludePatterns — Virtual environment directories excluded from scanning
2. SARIF integration tests — 8 focused tests replacing 1 weak assertion
3. Dependency pinning documentation — Comprehensive docs page with CI integration flowchart

This issue serves as a record of the scope change decision for future reference.