chore: pin prettier-related packages to prevent malicious package installation

[subhankarmaiti]

Background

A recent npm phishing campaign led to the compromise of several prettier tooling packages. The attack involved:

• Phishing emails targeting package maintainers using typosquatted domain (npnjs.com)
• Stolen npm tokens used to publish malicious versions
• Compromised packages included Windows-specific payloads attempting to load DLLs

Affected malicious versions:

• eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier: 4.2.2, 4.2.3

Changes

✅ Our versions were already safe, but this PR adds extra protection by pinning exact versions:

• prettier: ^3.0.3 → 3.0.3 (was never compromised)
• eslint-config-prettier: ^10.1.1 → 10.1.5 (pinned to last known safe version)
• eslint-plugin-prettier: ^5.5.1 → 5.5.1 (already safe, now pinned)
• prettier-plugin-organize-imports: ^4.1.0 → 4.1.0 (pinned for consistency)

Security Impact

• No immediate threat: Our current versions were not affected by the malicious releases
• Future protection: Pinned versions prevent accidental installation of any compromised packages
• Best practice: Follows security recommendation to avoid floating version ranges in CI pipelines

References

• Socket Security Blog: npm Phishing Campaign

Verification

• All pinned versions are confirmed safe
• No breaking changes introduced
• Existing functionality preserved