ci(deps): Pin third party node dependencies

[rbarker-dev]

Description

This pull request makes dependency management more consistent and predictable across the rest/check-state-proof and rest/monitoring packages by enforcing exact versioning for dependencies and updating several dependency versions and peer dependencies. The changes help ensure reproducible builds and reduce the risk of unexpected issues due to unintentional dependency upgrades.

Dependency management improvements:

• Added save-exact=true to .npmrc files in rest/, rest/check-state-proof/, and rest/monitoring/ to enforce exact dependency versioning for future installs.
• Updated all dependency and devDependency versions in package.json and package-lock.json for both rest/check-state-proof and rest/monitoring to use exact versions instead of version ranges (e.g., "^1.2.3" → "1.2.3"). [1] [2] [3]
• Added and updated peerDependencies in both packages to explicitly require certain versions of shared libraries (such as chalk, ansi-styles, debug, is-arrayish, strip-ansi, wrap-ansi, etc.), improving compatibility and clarity for consumers. [1] [2] [3]

Dependency version updates and cleanups:

• Updated or replaced specific versions of transitive dependencies in package-lock.json, including upgrades and removals (e.g., wrap-ansi, is-arrayish, protobufjs, and related dependencies), and removed redundant or outdated nested dependencies. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17]

These changes together make dependency management more robust and predictable for these packages.

Related issue(s)

Fixes #11964

Related Testing

• End-to-end testing panel

[lfdt-bot]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
❌ -31.53% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (245a69c)	36775	33493	91.08%
Head commit (e984723)	60784 (+24009)	36195 (+2702)	59.55% (-31.53%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#11965)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[steven-sheehy]

We have other NPM packages in the tools/ folder. Shouldn't we handle those as well?

[steven-sheehy]

Do we really need to put these here if we don't even use most of them? Shouldn't we just put the actual transitive packages we use? Same comment for other package.jsons

[rbarker-dev]

Each of these were present in the lock files when we reviewed them. That's why we've added these in here.

[steven-sheehy]

Not sure what you mean. On main, rest/monitoring/package.json only uses debug out of the above list. So shouldn't peerDependencies only contain debug instead of a bunch of unused and irrelevant dependencies?

[andrewb1269]

@steven-sheehy please re-review when you get a chance, thank you!

[steven-sheehy]

So we're not going to update the tools folder as well? Or will that be a separate PR?

[steven-sheehy]

On main, only debug and chalk are in this package-lock.json

[steven-sheehy]

Not sure what you mean. On main, rest/monitoring/package.json only uses debug out of the above list. So shouldn't peerDependencies only contain debug instead of a bunch of unused and irrelevant dependencies?