Preventing malicious version of coa to install in CI

See: veged/coa#99

This is not an end-user security issue. Simply, we don't want to
allow malicious code to be executed inside our own CI system.

Author: weaverryan

src/Turbo/Tests/app/package.json

@@ -9,6 +9,7 @@
         "stimulus": "^2.0.0",
         "webpack-notifier": "^1.6.0"
     },
+    "resolutions": { "coa": "2.0.2" },
     "license": "MIT",
     "private": true,
     "scripts": {