From bc1fa22217afad99308f82f6ff26b9d3553c1545 Mon Sep 17 00:00:00 2001
From: "securityeng-bot[bot]"
 <219863240+securityeng-bot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 20:23:10 +0000
Subject: [PATCH 1/2] fix: use lockfile-aware install commands

---
 .github/workflows/test.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 99499246..008702b9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -86,7 +86,7 @@ jobs:
           cache: 'yarn'
       -
         name: Install
-        run: yarn install
+        run: yarn install --immutable
       -
         name: Create includes
         id: set
@@ -197,7 +197,7 @@ jobs:
           use: false
       -
         name: Install
-        run: yarn install
+        run: yarn install --immutable
       -
         name: Test
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0

From 8c6c324914a2bfb2282cd11bda9f647062c85947 Mon Sep 17 00:00:00 2001
From: "securityeng-bot[bot]"
 <219863240+securityeng-bot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 20:23:11 +0000
Subject: [PATCH 2/2] fix: use lockfile-aware install commands

---
 dev.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev.Dockerfile b/dev.Dockerfile
index cc583456..0f729fec 100644
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -36,7 +36,7 @@ FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
   --mount=type=cache,target=/src/.yarn/cache \
   --mount=type=cache,target=/src/node_modules \
-  yarn install && mkdir /vendor && cp yarn.lock /vendor
+  yarn install --immutable && mkdir /vendor && cp yarn.lock /vendor
 
 FROM scratch AS vendor-update
 COPY --from=deps /vendor /