Update NPM packages

[andyleejordan]

Routine dependency refresh.

Highlights

• uuid 13 → 14 (only used as v4 in ExternalApi.ts, no API changes)
• sinon 21 → 22 (@types/sinon not yet published for 22, staying on 21)
• @types/vscode ~1.110.0 → ~1.115.0 to align with engines.vscode ^1.114.0 (1.114 isn't published; 1.115 is the closest matching patch series). Held off bumping engines.vscode itself this round.
• Various minor/patch bumps: @vscode/extension-telemetry, semver, @vscode/vsce, @types/node, @ungap/structured-clone, eslint, prettier, typescript, typescript-eslint.

Skipped

• @types/node 25 — pinned to 22 to match Electron 39 / Node 22 in VS Code 1.114.
• untildify 6 — ESM-only, we're CJS.

Overrides

The serialize-javascript and diff overrides are still required — mocha pulls in vulnerable transitive versions otherwise. Verified both: removing either re-introduces the advisories.

Security

Resolves both open Dependabot alerts:

• Alert 86: uuid missing buffer bounds check in v3/v5/v6 (fixed by the bump to uuid 14, which also pulls a patched 13.x transitively).
• Alert 87: fast-uri path traversal / host confusion (now on 3.1.2 via @vscode/vsce 3.9.1 → @secretlint/node → ajv).

Verification

• npm run compile ✅
• npm run lint ✅
• npm run format ✅
• npm audit ✅ (0 vulnerabilities)

[Copilot]

Pull request overview

Routine npm dependency refresh, bumping patch/minor versions broadly and a few majors (uuid 13→14, sinon 21→22, @types/vscode 1.110→1.115). Resolves two Dependabot alerts (uuid, fast-uri).

Changes:

• Bump uuid to ^14.0.0, sinon to ^22.0.0, @types/vscode to ~1.115.0.
• Various minor/patch bumps to telemetry, semver, vsce, eslint, prettier, typescript, typescript-eslint, etc.
• Regenerated package-lock.json to match.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Dependency version bumps for direct deps and dev/optional tooling.
package-lock.json	Lockfile regenerated to reflect the new resolved versions.