use npm install instead of ci

Author: maoo

.github/workflows/cve-scanning-node.yml

@@ -20,5 +20,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci --prod
+      - run: npm config set package-lock false
+      # TODO - this is ignoring package-lock.json
+      - run: npm install --prod
       - run: npx --yes auditjs ossi --whitelist allow-list.json