ENG-33: CVE updates

[kariharju]

Description

• Updated CVES
• Moved from yarn to npm and using npm ci in GHAs
  • npm caching done correctly with package-lock.json in git
• Moved from vsce to @vscode/vsce AND using it from locked dev. deps (not downloading in GHAs)
• Big updates to sema4ai/.vscodeignore a lot of extra files dropped from the vsix
• Updated codegen:
  • Better organized package.json
  • with open(..., "w", encoding="utf-8", newline="\n") in a lot of places causing white-space diffs

https://linear.app/sema4ai/issue/ENG-33

How was this tested?

• Ran extension in VS Code > tested agent and action edits and runs
• Build local vsix > installed > tested agent and action edits and runs

Screenshots (if possible)

Before .vscodeignore changes:

 INFO  Files included in the VSIX:
sema4ai-2.18.0.vsix
├─ [Content_Types].xml
├─ extension.vsixmanifest
└─ extension/
   ├─ .nvmrc [0.01 KB]
   ├─ .prettierignore [0.11 KB]
   ├─ .yarnrc.yml [0.03 KB]
   ├─ README.md [2.99 KB]
   ├─ console.ts
   ├─ dev.py [12.35 KB]
   ├─ package.json [67.08 KB]
   ├─ poetry.lock [137.43 KB]
   ├─ pyproject.toml [3.13 KB]
   ├─ .mypy_cache/ (2589 files) [71.97 MB]
   ├─ .ruff_cache/ (23 files) [12.78 KB]
   ├─ bin/ (12 files) [109.2 MB]
   ├─ codegen/ (5 files) [70.45 KB]
   ├─ images/ (10 files) [1.91 MB]
   ├─ node_modules/ (418 files) [1.94 MB]
   ├─ src/ (297 files) [3.81 MB]
   └─ vscode-client/ (133 files) [2.41 MB]

=> Run vsce ls --tree to see all included files.

 DONE  Packaged: C:\Projects\github\vscode-extension\sema4ai\sema4ai-2.18.0.vsix (3498 files, 102.41 MB

..after:

 INFO  Files included in the VSIX:
sema4ai-2.18.0.vsix
├─ [Content_Types].xml
├─ extension.vsixmanifest
└─ extension/
   ├─ package.json [67.08 KB]
   ├─ readme.md [2.99 KB]
   ├─ bin/ (12 files) [109.2 MB]
   ├─ images/ (10 files) [1.91 MB]
   ├─ node_modules/ (337 files) [1.54 MB]
   ├─ src/ (297 files) [3.81 MB]
   └─ vscode-client/ (65 files) [2.04 MB]

=> Run vsce ls --tree to see all included files.

 DONE  Packaged: C:\Projects\github\vscode-extension\sema4ai\sema4ai-2.18.0.vsix (725 files, 96.74 MB)

Pre-Release checklist:

• Updated the Unreleased section of /docs/changelog.md with the new changes.

Stable Release checklist:

• Updated the version using python -m dev set-version {version}
• Updated /docs/changelog.md with the changes for the release

[fabioz]

Since you touched it, maybe it'd be nice to actually pin it with the hash...

[kariharju]

Yeah I've been hoping to avoid it, kind of wishing these would just get the semver support, but I guess that is wishful thinking.
Maintaining the hashes on +400 repositories is absolute insanity, compared to having something like ^6.1.2
I'll try to get everything to v6 and using the caching correctly first then some massive search and replace agent or bot.

[fabioz]

LGTM, just one optional comment ;)