[Snyk] Upgrade @vscode/webview-ui-toolkit from 1.2.2 to 1.4.0

[sumansaurabh]

User description

Snyk has created this PR to upgrade @vscode/webview-ui-toolkit from 1.2.2 to 1.4.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.

• The recommended version was released a year ago.

Release notes

Package name: @vscode/webview-ui-toolkit

• 1.4.0 - 2023-12-06
  

  Features

  • update dropdown styles: updates some dropdown styles to match new VS Code dropdown style (#532), closes #521

  Docs

  • fix image typo: fixes incorrect image used in badge docs (#522)

  Admin

  • bump @ microsoft/fast-element: bumps @ microsoft/fast-element from 1.6.2 to 1.12.0 (#525)
  • bump @ microsoft/fast-foundation: bumps @ microsoft/fast-foundation from 2.38.0 to 2.49.4 (#525), closes #494
  • bump @ microsoft/fast-react-wrapper: bumps @ microsoft/fast-react-wrapper from 0.1.18 to 0.3.22 (#525)
  • bump eslint related deps: bumps eslint and other related packages to latest stable versions (#526)
  • update ci pipelines: updates github and azure ci pipelines to use node v18 (#526)
  • bump prettier: bumps prettier from 2.2.1 to 3.1.0 (#528)
  • bump @ microsoft/api-extractor: bumps @ microsoft/api-extractor from 7.18.9 to 7.38.4 (#529)
  • add tsdoc.json: adds a tsdoc.json file to resolve api-extrator warnings (#529)
  • bump typescript: bumps typescript from 4.3.5 to 4.6.2 (#530), closes #514
  • add tslib production dep: fixes error in other package managers (i.e. yarn) where tslib could not be resolved (#531), closes #451
• 1.3.1 - 2023-11-14
  

  Admin

  • update npmignore: adds a directory to npmignore (accidentally published a big test folder in v1.3.0, sorry 😅)
• 1.3.0 - 2023-11-13
  

  Features

  • input border radius: adds a 2px border radius to input elements (text field and text area) to match new VS Code button style (#510)

  Docs

  • replace storybook with codesandbox: removes storybook and replace it with codesandbox sample links (#460), closes #446
  • dropdown label: adds better docs on how to create labels in dropdown that adhere to VS Code design language (#463), closes #461
  • divider and radio group typos: fixes two typos found in the documentation (#462)
  • getting started: updates esbuild configuration code snippet in getting started guide (#450)
  • data grid typo: fixes data grid example code typo (#471)
  • contributing docs: removes deleted npm test and build:docs scripts from contributing doc (#492)
  • editable data grid: adds a new section to the data grid docs linking to the editable data grid sample extension (#499), closes #493
  • radio docs: adds note about workaround fix to the issue described in #476 (#511)

  Admin

  • remove jest dependency: removes unused jest dependency (#459)
  • react testing environment: adds npm script and testing environment to test toolkit react components (#478)
  • bump word-wrap: bumps word-wrap from 1.2.3 to 1.2.4 (#501)
  • bump @ babel/traverse: bumps @ babel/traverse from 7.15.4 to 7.23.2 (#515)
  • bump http-cache-semantics: bumps http-cache-semantics from 4.1.0 to 4.1.1 (#454)
  • bump json5: bumps json5 from 1.0.1 to 1.0.2 (#443)
• 1.2.2 - 2023-02-24
  

  Bug fixes

  • fix react build script: fixes react build script that was generating incorrect react type declaration file (#456), closes #455

  Docs

  • new getting started guide: adds new content to getting started guide demoing better component API usage and extension CSP (#383), closes #74 and #348
  • update resource links: adds and removes a few links to resources in the project readme.md and getting-started.md (#447)
  • remove readme badge: removes deploy docs readme badge since it was broken to due removal of docs CD pipeline (#449)
  • data grid docs: updates data grid docs to show how to create data grids with React (#457), closes #453

  Admin

  • add .eslintrc.cjs to npmignore: forgot to include in a previous release (#444), resolves #438
  • enable codeql: adds codeql to azure pipeline for improved static analysis and security audits of toolkit source code (#441)

from @vscode/webview-ui-toolkit GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Description

• Upgraded @vscode/webview-ui-toolkit from version 1.2.2 to 1.4.0 to enhance functionality and security.
• Updated related dependencies to their latest versions for improved compatibility and performance.
• This upgrade addresses potential vulnerabilities and ensures the project uses the most recent features.

---

Changes walkthrough 📝

Relevant files

Dependencies

package-lock.json Upgrade @vscode/webview-ui-toolkit and related dependencies frameworks/hello-world-react-vite/webview-ui/package-lock.json Upgraded @vscode/webview-ui-toolkit from version 1.2.2 to 1.4.0. Updated dependencies for @microsoft/fast-element, @microsoft/fast-foundation, and @microsoft/fast-react-wrapper. Adjusted tslib version to 2.8.1. +69/-45  package.json Update package.json for toolkit version upgrade                    frameworks/hello-world-react-vite/webview-ui/package.json Changed @vscode/webview-ui-toolkit dependency version from 1.2.2 to 1.4.0. +1/-1

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are primarily version upgrades in package-lock.json and package.json, which are straightforward to review.
🧪 Relevant tests	No
⚡ Possible issues	Deprecated Package: The upgraded version of @vscode/webview-ui-toolkit (1.4.0) is marked as deprecated. This could lead to future compatibility issues.
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Maintainability	Address the deprecation warning for the package to ensure future compatibility Consider addressing the deprecation warning for the '@vscode/webview-ui-toolkit' package, as it may affect future compatibility and maintenance. frameworks/hello-world-react-vite/webview-ui/package-lock.json [554] -"deprecated": "This package has been deprecated, https://github.com/microsoft/vscode-webview-ui-toolkit/issues/561", +// Consider replacing '@vscode/webview-ui-toolkit' with an alternative package or updating the code to handle the deprecation. Suggestion importance[1-10]: 8 Why: The suggestion addresses a deprecation warning that could impact future compatibility, which is an important maintainability concern.	8
Security	Verify the integrity hashes of new dependencies for security assurance Review the integrity hashes for the new dependencies to ensure they match the expected values and have not been tampered with. frameworks/hello-world-react-vite/webview-ui/package-lock.json [553] -"integrity": "sha512-modXVHQkZLsxgmd5yoP3ptRC/G8NBDD+ob+ngPiWNQdlrH6H1xR/qgOBD85bfU3BhOB5sZzFWBwwhp9/SfoHww==", +// Verify the integrity hash against the source to ensure security. Suggestion importance[1-10]: 7 Why: Verifying integrity hashes is crucial for security, and the suggestion correctly identifies a potential security concern with new dependencies.	7
Best practice	Use a more specific version range for dependencies to prevent unexpected breaking changes Consider using a more specific version range for the '@vscode/webview-ui-toolkit' dependency to avoid unexpected breaking changes in future updates. frameworks/hello-world-react-vite/webview-ui/package.json [11] -"@vscode/webview-ui-toolkit": "^1.4.0", +"@vscode/webview-ui-toolkit": "~1.4.0", Suggestion importance[1-10]: 6 Why: Using a more specific version range can help prevent breaking changes, but this is a minor improvement compared to addressing critical issues.	6
Compatibility	Update dependency versions to maintain compatibility across packages Ensure that the version numbers for dependencies are compatible with each other to avoid potential runtime issues. frameworks/hello-world-react-vite/webview-ui/package-lock.json [557] -"@microsoft/fast-element": "^1.12.0", +"@microsoft/fast-element": "^1.14.0", Suggestion importance[1-10]: 5 Why: While ensuring compatibility is important, the suggested change does not directly address a specific issue in the PR and is more of a general best practice.	5