fix: upgrade vsce to @vscode/vsce to fix xml2js vulnerability

[rocketstack-matt]

Description

Replaces deprecated vsce@2.15.0 with @vscode/vsce@3.7.1 which uses xml2js@0.5.0+ that is patched against prototype pollution.

Fixes Dependabot alert #78 (CVE-2023-0842)

https://github.com/finos/architecture-as-code/security/dependabot/78

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🎨 Code style/formatting changes
• ♻️ Refactoring (no functional changes)
• ⚡ Performance improvements
• ✅ Test additions or updates
• 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

• CLI (cli/)
• Shared (shared/)
• CALM Widgets (calm-widgets/)
• CALM Hub (calm-hub/)
• CALM Hub UI (calm-hub-ui/)
• Documentation (docs/)
• VS Code Extension (calm-plugins/vscode/)
• Dependencies
• CI/CD

Commit Message Format ✅

Testing

• I have tested my changes locally
• I have added/updated unit tests
• All existing tests pass

Checklist

• My commits follow the conventional commit format
• I have updated documentation if necessary
• I have added tests for my changes (if applicable)
• My changes follow the project's coding standards

[Copilot]

Pull request overview

This pull request upgrades the deprecated vsce package to its successor @vscode/vsce, addressing a critical security vulnerability (CVE-2023-0842) in the xml2js dependency. The upgrade patches a prototype pollution vulnerability by ensuring xml2js is updated from version 0.4.x to 0.5.0.

Key changes:

• Replaced vsce@2.15.0 with @vscode/vsce@3.7.1
• Updated the package script to use npx @vscode/vsce instead of vsce
• xml2js dependency upgraded to 0.5.0 (patched version)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
calm-plugins/vscode/package.json	Updated devDependency from vsce to @vscode/vsce and modified package script to use the new CLI command
package-lock.json	Removed old vsce package and all its dependencies; added @vscode/vsce@3.7.1 with xml2js@0.5.0 and new dependencies including secretlint packages

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

[Copilot]

The @vscode/vsce dependency should be placed in alphabetical order within the devDependencies section. It should appear after @vscode/dts (line 151) and before eslint (line 152) to maintain consistency with the rest of the dependencies.