Fix audit alerts and enforce frozen lockfile

[alexslavr]

No description provided.

[Copilot]

Pull request overview

This PR tightens dependency reproducibility and reduces CI variability by enforcing --frozen-lockfile across GitHub workflows, and updates the build tooling that fetches external documentation content used during package builds.

Changes:

• Enforce pnpm install --frozen-lockfile across CI workflows to prevent lockfile drift during installs.
• Update tools/scripts/build-all.ts to install and run documentation tooling via pnpm and adjust the temporary documentation clone directory.
• Remove outdated/commented Angular polyfill install hints and remove an unused composite GitHub Action for Chrome headless shell setup.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tools/scripts/build-all.ts	Switch doc repo install/run steps to pnpm and change documentation temp clone location.
apps/angular/src/polyfills.ts	Remove outdated inline “npm install” hints from commented polyfill imports.
.github/workflows/wrapper_tests_e2e.yml	Use frozen lockfile for deterministic installs.
.github/workflows/wrapper_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/update_version.yml	Use frozen lockfile for deterministic installs.
.github/workflows/ts_declarations.yml	Use frozen lockfile for deterministic installs.
.github/workflows/themebuilder_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/testcafe_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/styles.yml	Use frozen lockfile for deterministic installs.
.github/workflows/run-testcafe-on-gh-pages.yml	Use frozen lockfile for deterministic installs.
.github/workflows/renovation.yml	Use frozen lockfile for deterministic installs.
.github/workflows/qunit_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/publish-demos.yml	Use frozen lockfile for deterministic installs.
.github/workflows/playgrounds_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/packages_publishing.yml	Use frozen lockfile for deterministic installs.
.github/workflows/lint.yml	Use frozen lockfile for deterministic installs; remove separate lockfile-update/check job and adjust notification dependencies.
.github/workflows/demos_visual_tests.yml	Use frozen lockfile for deterministic installs; remove commented-out wrapper build/link steps.
.github/workflows/demos_unit_tests.yml	Use frozen lockfile for deterministic installs.
.github/workflows/default_workflow.yml	Use frozen lockfile for deterministic installs.
.github/workflows/codeql.yml	Use frozen lockfile for deterministic installs.
.github/workflows/build_all.yml	Use frozen lockfile for deterministic installs.
.github/actions/setup-chrome-headless-shell/action.yml	Remove unused composite action.
.github/actions/run-qunit-tests/action.yml	Remove commented-out Chrome setup section referencing removed action.

Comments suppressed due to low confidence (1)

tools/scripts/build-all.ts:28

• DOCUMENTATION_TEMP_DIR is now created in the parent of ROOT_DIR ("../doc_tmp") and later deleted via rm -rf. This can delete data outside the repo/workspace (e.g., if a sibling doc_tmp already exists) and can also cause collisions between concurrent runs. Prefer creating the temp clone directory under ARTIFACTS_DIR (as before) or via an OS temp directory (e.g., fs.mkdtemp under os.tmpdir()), ideally with a unique suffix, and only deleting within that scoped location.

    const DOCUMENTATION_TEMP_DIR = path.join(ARTIFACTS_DIR, 'doc_tmp');
    sh.exec(`git clone -b ${MAJOR_VERSION} --depth 1 --config core.longpaths=true https://github.com/DevExpress/devextreme-documentation.git ${DOCUMENTATION_TEMP_DIR}`);

    sh.pushd(DOCUMENTATION_TEMP_DIR);
    sh.exec('npm ci');
    sh.exec(`npm run update-topics -- --artifacts ${INTERNAL_TOOLS_ARTIFACTS}`);
    sh.popd();

    sh.rm('-rf', DOCUMENTATION_TEMP_DIR);