SK-2839: Public Release - harden against npm supply chain attacks — pin deps and add --ignore-scripts to CI

[saileshwar-skyflow]

Summary

• Pin all dependency versions in package.json and example/package.json — removes all ^/~ ranges and replaces with exact versions resolved from yarn.lock. peerDependencies and resolutions are untouched.
• Add --ignore-scripts to all 5 CI npm install steps (CI.yml, main.yml, release.yml, beta-release.yml, internal-release.yml) to block arbitrary postinstall execution from a compromised package. Each step gets a comment explaining the rationale and exceptions.
• Create .npmrc with a comment block explaining why ignore-scripts=true was not set globally — example/package.json has a legitimate postinstall: "patch-package" hook required for dependency patches.

No source files, test files, config files, or native code (android/, ios/, assets/) were modified.

Postinstall audit findings

Location	Hook	Decision
package.json (root)	prepare: "bob build"	Safe to suppress — CI runs npm run build explicitly
example/package.json	postinstall: "patch-package"	Legitimate — not suppressed (root install doesn't trigger it)
@arkweid/lefthook	git hook installer	Not needed in CI
react-native 0.71.x	native postinstall	Not needed — CI is JS-only

Semgrep.yml and Gitleaks.yml have no npm install steps and were not modified.

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

Semgrep findings: No issues found, Good to merge.