Ensure JS lockfiles are respected #4216
Description
yarn should always be run with --frozen-lockfile - this means we'll use pinned dependencies, avoiding safety issues in case of a compromised package.
Known files with issues:
ts/build-packages.shbump-version.sh