chore: use lockfiles for NPM dependencies

[daniel-graham-amplitude]

Summary

Instead of installing dependencies dynamically via "npx", pin down the dependencies using lockfile + npm ci so that we don't get any unexpected dependencies when running semantic-release.

Checklist

• Does your PR title have the correct title format?
• Does your PR have a breaking change?: No

---

Note

CI release workflow tweaks

• Update release.yml to install Node dependencies with npm ci and run semantic-release via npm exec (both dry-run and real), keeping npm config set ignore-scripts true.
• Add node_modules/ to .gitignore.

^{Written by Cursor Bugbot for commit d1bbae3. This will update automatically on new commits. Configure here.}

[macroscopeapp]

Replace ad-hoc npx -p installs with npm ci and run semantic-release via npm exec in release.yml to meet AMP-145287

The Release workflow installs Node dependencies with npm ci and runs semantic-release using npm exec, adds node_modules/ to .gitignore, and introduces package.json and package-lock.json for pinned dependencies.

🖇️ Linked Issues

Addresses AMP-145287 by removing npx -p usage in the Release workflow, contributing to the AMP-145285 epic under the AMP-91393 initiative.

📍Where to Start

Start with the Release job steps in release.yml, focusing on the npm ci and npm exec semantic-release changes.

---

Macroscope summarized d1bbae3.

[sojingle]

LGTM, Thanks!

[github-actions]

🎉 This PR is included in version 1.16.3 🎉

The release is available on:

• GitHub release
• v1.16.3

Your semantic-release bot 📦🚀