From f84f17a40bd7e68428d23e716d349dc6a20dce9e Mon Sep 17 00:00:00 2001
From: Eric Joanis <Eric.Joanis@cnrc-nrc.gc.ca>
Date: Thu, 22 Jan 2026 10:44:12 -0500
Subject: [PATCH 1/2] ci: use `npm ci` everywhere to use the lock file stricly

---
 .github/workflows/bundle.yml        | 2 +-
 .github/workflows/deploy.yml        | 2 +-
 .github/workflows/dev-preview.yml   | 2 +-
 .github/workflows/pr-preview.yml    | 2 +-
 .github/workflows/release.yml       | 2 +-
 .github/workflows/windows-tests.yml | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml
index 02a9e897..a6e444dd 100644
--- a/.github/workflows/bundle.yml
+++ b/.github/workflows/bundle.yml
@@ -16,7 +16,7 @@ jobs:
         with:
           node-version: "22"
           package-manager-cache: false
-      - run: npm install
+      - run: npm ci
       - run: npx update-browserslist-db@latest
       - run: npx nx bundle web-component
       - name: Create Pull Request
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 7897a057..7b60c146 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: "22"
-      - run: npm install
+      - run: npm ci
       - run: npx update-browserslist-db@latest
       - name: Build web-component
         run: |
diff --git a/.github/workflows/dev-preview.yml b/.github/workflows/dev-preview.yml
index a33c26bc..2f230ad7 100644
--- a/.github/workflows/dev-preview.yml
+++ b/.github/workflows/dev-preview.yml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: "22"
-      - run: npm install
+      - run: npm ci
       - run: npx update-browserslist-db@latest
       - name: Build web-component
         run: |
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index 1e70c367..64d68eb2 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -26,7 +26,7 @@ jobs:
       - name: Install
         if: github.event.action != 'closed'
         run: |
-          npm install
+          npm ci
       - name: Always preview with the latest browserslist db
         if: github.event.action != 'closed'
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5e6123c9..4397433e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -37,7 +37,7 @@ jobs:
           package-manager-cache: false
       - name: Update npm to latest version for OIDC/Trusted Publishing support
         run: npm install -g npm@latest
-      - run: npm install
+      - run: npm ci
       - run: npx update-browserslist-db@latest
       - name: Build and bundle
         run: |
diff --git a/.github/workflows/windows-tests.yml b/.github/workflows/windows-tests.yml
index ffd9b999..52754099 100644
--- a/.github/workflows/windows-tests.yml
+++ b/.github/workflows/windows-tests.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: 22
-      - run: npm install --verbose
+      - run: npm ci --verbose
       - run: npx update-browserslist-db@latest
       - name: Ng test for studio-web
         run: |

From 2c895fe0acb81626da01409a90778095109c0a8a Mon Sep 17 00:00:00 2001
From: Eric Joanis <Eric.Joanis@cnrc-nrc.gc.ca>
Date: Thu, 22 Jan 2026 12:04:56 -0500
Subject: [PATCH 2/2] build(deps): npm audit fix to resolve CVEs

Replaces #513 and #514
---
 package-lock.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 46238fc2..fa36e2fa 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -27629,9 +27629,9 @@
       "license": "MIT"
     },
     "node_modules/diff": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
-      "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.4.tgz",
+      "integrity": "sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -37643,9 +37643,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "dev": true,
       "license": "MIT"
     },
@@ -45266,9 +45266,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "7.5.3",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.3.tgz",
-      "integrity": "sha512-ENg5JUHUm2rDD7IvKNFGzyElLXNjachNLp6RaGf4+JOgxXHkqA+gq81ZAMCUmtMtqBsoU62lcp6S27g1LCYGGQ==",
+      "version": "7.5.6",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.6.tgz",
+      "integrity": "sha512-xqUeu2JAIJpXyvskvU3uvQW8PAmHrtXp2KDuMJwQqW8Sqq0CaZBAQ+dKS3RBXVhU4wC5NjAdKrmh84241gO9cA==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {