fix(security-audit): add clean-tmp-dir lockfile regen fallback

The earlier fallback chain still failed in CI because npm's arborist
crashes on bun's hoisted node_modules layout (paths containing '+') and
on nested packages that reference the yarn/bun 'workspace:' protocol
(e.g. crossws in docs-site/node_modules). The previous --legacy-peer-deps
attempt walked into those paths and produced:

  npm error Cannot read properties of null (reading 'matches')
  npm error code EUNSUPPORTEDPROTOCOL
  npm error Unsupported URL Type 'workspace:': workspace:*

Add a 3rd attempt that runs `npm install --package-lock-only` in a
fresh mkdtemp directory containing only package.json. With no
hoisted node_modules to walk, npm builds a clean ideal tree and emits
a valid lockfile. On success the generated lockfile is copied back to
the project root before the temp dir is removed.

The previous ESM/require typo was also fixed: switch the file's
imports to ESM (mkdtempSync, copyFileSync, tmpdir, join) since the
.mjs extension forces ESM scope and require() throws ReferenceError.

Verified locally: `bun run security:audit` regenerates a fresh
package-lock.json in ~3 min and exits 0 (1 high [astro, allowlisted],
0 critical, 11 moderate). Re-runs reuse the fresh lockfile and exit
in <1s.

Author: swadhinbiswas

scripts/security/audit.mjs

@@ -15,8 +15,9 @@
  *   1 — fail (disallowed high/critical vulnerability present)
  *   2 — script error
  */
-import { existsSync, readFileSync, statSync, writeFileSync, unlinkSync } from "node:fs";
-import { resolve } from "node:path";
+import { existsSync, readFileSync, statSync, copyFileSync, mkdtempSync, rmSync, copyFileSync as copyFileSyncEsm } from "node:fs";
+import { resolve, join } from "node:path";
+import { tmpdir } from "node:os";
 import { spawnSync } from "node:child_process";
 
 const ROOT = resolve(process.cwd());
@@ -30,17 +31,53 @@ const log = (level, msg) => console.log(`[${new Date().toISOString()}] [${level}
 function regenerateLockfile() {
   log("info", "Regenerating package-lock.json from package.json (--package-lock-only)…");
   // Some npm versions crash with `Cannot read properties of null (reading 'matches')`
-  // when the existing lockfile is stale or contains shapes they don't expect.
-  // Try the simple invocation first; fall back to deleting and regenerating
-  // from scratch; finally fall back to auditing whatever lockfile exists.
+  // when the existing node_modules is bun-hoisted (paths contain `+`) or when
+  // hoisted packages reference the yarn/bun `workspace:` protocol in nested
+  // `node_modules/<pkg>/package.json` (e.g. crossws in docs-site/node_modules).
+  // We try three strategies in order:
+  //   1. Plain `npm install --package-lock-only` in the project root.
+  //   2. Same with `--ignore-scripts --legacy-peer-deps` to skip workspaces.
+  //   3. Run `npm install --package-lock-only` from a clean temp directory
+  //      containing only package.json, so npm never sees bun's hoisted
+  //      `node_modules/.bun/*` paths or the docs-site nested packages.
+  // If all three fail AND no lockfile exists on disk, exit 2; otherwise fall
+  // back to auditing the existing lockfile (may be stale but better than 0).
+  const root = ROOT;
   const attempts = [
-    ["npm", ["install", "--package-lock-only", "--no-audit", "--no-fund", `--registry=${AUDIT_REGISTRY}`]],
-    ["npm", ["install", "--package-lock-only", "--no-audit", "--no-fund", "--ignore-scripts", "--legacy-peer-deps", `--registry=${AUDIT_REGISTRY}`]],
+    {
+      label: "root (default)",
+      run: () => spawnSync("npm", ["install", "--package-lock-only", "--no-audit", "--no-fund", `--registry=${AUDIT_REGISTRY}`], { cwd: root, stdio: "inherit" }),
+    },
+    {
+      label: "root (--ignore-scripts --legacy-peer-deps)",
+      run: () => spawnSync("npm", ["install", "--package-lock-only", "--no-audit", "--no-fund", "--ignore-scripts", "--legacy-peer-deps", `--registry=${AUDIT_REGISTRY}`], { cwd: root, stdio: "inherit" }),
+    },
+    {
+      label: "clean temp directory (no hoisted node_modules)",
+      run: () => {
+        const tmp = mkdtempSync(join(tmpdir(), "och-audit-"));
+        copyFileSync(join(root, "package.json"), join(tmp, "package.json"));
+        try {
+          return spawnSync("npm", ["install", "--package-lock-only", "--no-audit", "--no-fund", "--ignore-scripts", "--legacy-peer-deps", `--registry=${AUDIT_REGISTRY}`], { cwd: tmp, stdio: "inherit" });
+        } finally {
+          try {
+            const generated = join(tmp, "package-lock.json");
+            if (existsSync(generated)) copyFileSync(generated, LOCKFILE);
+          } catch { /* best-effort */ }
+          rmSync(tmp, { recursive: true, force: true });
+        }
+      },
+    },
   ];
   for (let i = 0; i < attempts.length; i++) {
-    const [cmd, args] = attempts[i];
-    const r = spawnSync(cmd, args, { stdio: "inherit" });
-    if (r.status === 0) return;
+    const a = attempts[i];
+    log("info", `Lockfile regen attempt ${i + 1}: ${a.label}`);
+    const r = a.run();
+    if (r.status === 0) {
+      // The clean-tmp attempt copies the lockfile before returning, so a
+      // subsequent `existsSync(LOCKFILE)` check at the caller will pass.
+      return;
+    }
     log("warn", `Lockfile regen attempt ${i + 1} failed (exit ${r.status})`);
   }
   if (existsSync(LOCKFILE)) {