story: refactor Node dependency pins

[wesley-dean-flexion]

Describe the User Story

As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate, npm audit, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).

Acceptance Criteria

• dependency specification removed from Dockerfile, GitHub Action workflow files, etc.
• dependency specification added to a separate mechanism designed for specifying dependencies (e.g., package.json) Add package.json to pin dependencies used in the Docker image #324
• dependency management tooling updated to scan the dependency specification
• workflow continues to function as it did previously (i.e., don't break anything)
• support the composite action mechanism from Add dockerless composite action #257

Definition of Done

• Acceptance criteria met
• Usability tests passed - this user story should be easy to use by real users
• Code refactored for clarity - code must be clean, self-documenting code
• Dependency Rule followed - higher-level code should not depend directly on lower-level code
• Source code merged
• Unit test coverage of our code > 90%
• Security reviewed and reported - includes vulnerability and compliance scanning
• Code quality checks passed
• Build process updated if needed
• API documentation updated if needed

Additional Information

If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"

steps:
- uses: actions/setup-node@v4
- run: npm ci

This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from

RUN npm install ...

to

WORKDIR /destination/
COPY file /destination/
RUN npm ci

Related Feature Request

#257