Detect usage of npx in yaml & JS code

[NicholasEllul]

Summary

In #10 we added detection for npx usage in shell / JSON scripts. However, there are other cases where we are using npx in javascript files, as well as in GitHub workflows. This PR adds support for detection in those languages to ensure that potential supply chain issues are detected.

Note that we intentionally match all strings using npx in JS/TS so that even error messages prompting people to run npx scripts are flagged.

---

Note

Introduces detection of unsafe npx execution outside lockfiles across JS/TS code and CI YAML.

• Adds npx-usage-js.yml (JavaScript/TypeScript) and npx-usage-yml.yml (YAML) rules with WARNING severity, security tag, rationale/help, and remediation message
• Matches shell commands starting with npx in JS/TS string/template literals and in YAML run: steps (including scoped packages, flags, env vars, and command chains)
• Test suites cover positive/negative cases (e.g., jest, eslint, prettier, create-react-app; allow yarn, npm run, yarn dlx)

^{Written by Cursor Bugbot for commit 075f928. This will update automatically on new commits. Configure here.}

[Gudahtt]

Is there an easy way to ignore this warning for vendored code? We have some third-party minified code in mobile and extension that would contain the string npx (e.g. a fixture of a snap bundle used by e2e tests)

[NicholasEllul]

@Gudahtt yes this would be configured in the security-code-scanner.yml in the paths-ignored section (Example)

[Gudahtt]

Maybe worth considering adding a warning about yarn dlx as well (it also doesn't update the lockfile, though at least it wouldn't bypass a pre-existing one).

But we can consider that in a separate PR

[Gudahtt]

LGTM!