[Snyk] Upgrade @vscode/webview-ui-toolkit from 1.2.2 to 1.4.0

[sumansaurabh]

User description

Snyk has created this PR to upgrade @vscode/webview-ui-toolkit from 1.2.2 to 1.4.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.

• The recommended version was released a year ago.

Release notes

Package name: @vscode/webview-ui-toolkit

• 1.4.0 - 2023-12-06
  

  Features

  • update dropdown styles: updates some dropdown styles to match new VS Code dropdown style (#532), closes #521

  Docs

  • fix image typo: fixes incorrect image used in badge docs (#522)

  Admin

  • bump @ microsoft/fast-element: bumps @ microsoft/fast-element from 1.6.2 to 1.12.0 (#525)
  • bump @ microsoft/fast-foundation: bumps @ microsoft/fast-foundation from 2.38.0 to 2.49.4 (#525), closes #494
  • bump @ microsoft/fast-react-wrapper: bumps @ microsoft/fast-react-wrapper from 0.1.18 to 0.3.22 (#525)
  • bump eslint related deps: bumps eslint and other related packages to latest stable versions (#526)
  • update ci pipelines: updates github and azure ci pipelines to use node v18 (#526)
  • bump prettier: bumps prettier from 2.2.1 to 3.1.0 (#528)
  • bump @ microsoft/api-extractor: bumps @ microsoft/api-extractor from 7.18.9 to 7.38.4 (#529)
  • add tsdoc.json: adds a tsdoc.json file to resolve api-extrator warnings (#529)
  • bump typescript: bumps typescript from 4.3.5 to 4.6.2 (#530), closes #514
  • add tslib production dep: fixes error in other package managers (i.e. yarn) where tslib could not be resolved (#531), closes #451
• 1.3.1 - 2023-11-14
  

  Admin

  • update npmignore: adds a directory to npmignore (accidentally published a big test folder in v1.3.0, sorry 😅)
• 1.3.0 - 2023-11-13
  

  Features

  • input border radius: adds a 2px border radius to input elements (text field and text area) to match new VS Code button style (#510)

  Docs

  • replace storybook with codesandbox: removes storybook and replace it with codesandbox sample links (#460), closes #446
  • dropdown label: adds better docs on how to create labels in dropdown that adhere to VS Code design language (#463), closes #461
  • divider and radio group typos: fixes two typos found in the documentation (#462)
  • getting started: updates esbuild configuration code snippet in getting started guide (#450)
  • data grid typo: fixes data grid example code typo (#471)
  • contributing docs: removes deleted npm test and build:docs scripts from contributing doc (#492)
  • editable data grid: adds a new section to the data grid docs linking to the editable data grid sample extension (#499), closes #493
  • radio docs: adds note about workaround fix to the issue described in #476 (#511)

  Admin

  • remove jest dependency: removes unused jest dependency (#459)
  • react testing environment: adds npm script and testing environment to test toolkit react components (#478)
  • bump word-wrap: bumps word-wrap from 1.2.3 to 1.2.4 (#501)
  • bump @ babel/traverse: bumps @ babel/traverse from 7.15.4 to 7.23.2 (#515)
  • bump http-cache-semantics: bumps http-cache-semantics from 4.1.0 to 4.1.1 (#454)
  • bump json5: bumps json5 from 1.0.1 to 1.0.2 (#443)
• 1.2.2 - 2023-02-24
  

  Bug fixes

  • fix react build script: fixes react build script that was generating incorrect react type declaration file (#456), closes #455

  Docs

  • new getting started guide: adds new content to getting started guide demoing better component API usage and extension CSP (#383), closes #74 and #348
  • update resource links: adds and removes a few links to resources in the project readme.md and getting-started.md (#447)
  • remove readme badge: removes deploy docs readme badge since it was broken to due removal of docs CD pipeline (#449)
  • data grid docs: updates data grid docs to show how to create data grids with React (#457), closes #453

  Admin

  • add .eslintrc.cjs to npmignore: forgot to include in a previous release (#444), resolves #438
  • enable codeql: adds codeql to azure pipeline for improved static analysis and security audits of toolkit source code (#441)

from @vscode/webview-ui-toolkit GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Description

• Upgraded @vscode/webview-ui-toolkit from version 1.2.2 to 1.4.0 to enhance functionality and security.
• Updated related dependencies to ensure compatibility with the latest toolkit version.
• Removed deprecated packages and ensured the project is using the latest versions of required libraries.

---

Changes walkthrough 📝

Relevant files

Dependencies

package-lock.json Upgrade @vscode/webview-ui-toolkit to version 1.4.0            frameworks/hello-world-react-cra/webview-ui/package-lock.json Upgraded @vscode/webview-ui-toolkit from version 1.2.2 to 1.4.0. Updated dependencies for @microsoft/fast-element and @microsoft/fast-foundation. Removed deprecated versions and added new dependencies. +69/-49  package.json Update package.json for toolkit version upgrade                    frameworks/hello-world-react-cra/webview-ui/package.json Updated @vscode/webview-ui-toolkit dependency version to 1.4.0. Ensured compatibility with the latest React version. +1/-1

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are primarily version upgrades in the package-lock.json and package.json files, which are straightforward to review.
🧪 Relevant tests	No
⚡ Possible issues	Deprecated Package: The upgraded version of @vscode/webview-ui-toolkit (1.4.0) is marked as deprecated. This could lead to issues in the future if the package is no longer maintained.
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Verify the integrity hashes for the new package versions Verify that the integrity hashes for the new versions of the packages are correct to ensure the integrity of the packages. frameworks/hello-world-react-cra/webview-ui/package-lock.json [4322] -"integrity": "sha512-modXVHQkZLsxgmd5yoP3ptRC/G8NBDD+ob+ngPiWNQdlrH6H1xR/qgOBD85bfU3BhOB5sZzFWBwwhp9/SfoHww==", +// Ensure the integrity hash is correct Suggestion importance[1-10]: 8 Why: Verifying integrity hashes is important for security and ensuring that the correct package versions are being used. This suggestion addresses a significant concern.	8
Possible issue	Review for potential breaking changes in the updated package version Check if the new version of @vscode/webview-ui-toolkit introduces any breaking changes that may affect the application. frameworks/hello-world-react-cra/webview-ui/package.json [12] -"@vscode/webview-ui-toolkit": "^1.4.0", +// Ensure to check for breaking changes in the new version Suggestion importance[1-10]: 7 Why: Reviewing for potential breaking changes is a good practice when updating dependencies, but it is a general recommendation rather than a specific issue in the code. This suggestion is relevant but not critical.	7
Compatibility	Update the dependency version to ensure compatibility Ensure that the version numbers of dependencies are compatible with the new version of @vscode/webview-ui-toolkit to prevent potential conflicts. frameworks/hello-world-react-cra/webview-ui/package-lock.json [4326] -"@microsoft/fast-element": "^1.12.0", +"@microsoft/fast-element": "^1.14.0", Suggestion importance[1-10]: 6 Why: Updating the dependency version to ensure compatibility is a good practice, but the existing version already appears to be compatible. This suggestion is helpful but not crucial.	6
Maintainability	Remove the deprecated warning for clarity Consider removing the deprecated warning for the new version of the package to avoid confusion for users. frameworks/hello-world-react-cra/webview-ui/package-lock.json [4323] -"deprecated": "This package has been deprecated, https://github.com/microsoft/vscode-webview-ui-toolkit/issues/561", +// Remove the deprecated warning line Suggestion importance[1-10]: 3 Why: While removing the deprecated warning could improve clarity, it is important for users to be aware of the deprecation status of the package. This suggestion does not address a critical issue.	3