tidy: use a lockfile for js tools instead of npx

this makes us less vulnerable to MITM and supply chain attacks.

it also means that the CI scripts are no longer responsible for
tracking the versions of these tools.

it should also avoid the situation where local tsc and CI
disagree on the presense of errors due to them being different versions.