feat: Add guidance about npx/yarn dlx

The secure coding guidelines have been updated to ask contributors not
to use `npx` and `yarn dlx`, because they don't update the lockfile and
leave us more vulnerable to supply-chain attacks.

Author: Gudahtt

architecture

@@ -0,0 +1,104 @@
+workspace "MetaMask Extension Architecture" "Architecture diagram of the MetaMask Extension codebase" {
+
+    !identifiers hierarchical
+
+    model {
+        core = softwareSystem "Core Wallet" {
+            messenger = container "Messenger"
+
+            rpcService = container "RPC Service"
+            rpcService -> messenger
+
+            networkController = container "Network Controller"
+            networkController -> messenger
+            networkController -> rpcService
+            keyringController = container "Keyring Controller"
+            keyringController -> messenger
+            accountsController = container "Accounts Controller"
+            accountsController -> messenger
+
+            rpcPipeline = container "Wallet API RPC Pipeline"
+            rpcPipeline -> networkController
+            rpcPipeline -> keyringController
+        }
+
+
+
+        extensionBackground = softwareSystem "Extension Background" {
+            persistedStore = container "Persisted store"
+            persistedStore -> core.messenger
+
+            memoryStore = container "Memory store"
+            memoryStore -> core.messenger
+
+            appStateController = container "App State Controller"
+            appStateController -> core.messenger
+
+            controllerApi = container "Controller API"
+            controllerApi -> core.messenger
+
+            controllerStream = container "Controller stream"
+            controllerStream -> controllerApi
+            controllerStream -> memoryStore
+
+            providerStream = container "Provider stream"
+            providerStream -> core.rpcPipeline
+        }
+
+        extensionUi = softwareSystem "Extension UI" {
+            redux = container "Redux store"
+
+            metamaskSlice = container "MetaMask Redux slice"
+            metamaskSlice -> extensionBackground.controllerStream
+            metamaskSlice -> redux
+
+            sendSlice = container "MetaMask Send slice"
+            sendSlice -> redux
+
+            gasSlice = container "MetaMask Gas slice"
+            gasSlice -> redux
+
+            provider = container "Ethereum Provider"
+            provider -> extensionBackground.providerStream
+
+            backgroundApi = container "Background API"
+            backgroundApi -> extensionBackground.controllerStream
+        }
+    }
+
+    views {
+        systemContext core "Diagram1" {
+            include *
+            autolayout lr
+        }
+
+        container core "Diagram2" {
+            include element.parent==core element.parent==extensionBackground element.parent==extensionUi
+            autolayout lr
+        }
+
+        styles {
+            element "Element" {
+                color #ffffff
+            }
+            element "Person" {
+                background #741eba
+                shape person
+            }
+            element "Software System" {
+                background #8723d9
+            }
+            element "Container" {
+                background #9a28f8
+            }
+            element "Database" {
+                shape cylinder
+            }
+        }
+    }
+
+    configuration {
+        scope none
+    }
+
+}

docs/secure-coding-guidelines.md

@@ -121,7 +121,9 @@ The guidelines in this policy were gathered primarily from the [OWASP Top 10](ht
 
 #### Dependency Integrity
 
-- Use a lockfile or pinned dependencies to maintain control over which version of each dependency is used
+- Use a lockfile to maintain control over which version of each dependency is used
+- Do not use `npx` or `yarn dlx`
+	- These commands do not update the lockfile, so we have no control over which versions are installed. This leaves us vulnerable to supply-chain attacks.
 
 #### Avoid Deprecated and Unmaintained Packages