Update NPM packages (#5498)

Routine dependency refresh. Bumped patch/minor versions across the board
and a few majors:

- `uuid` 13 → 14 (only used as `v4` in `ExternalApi.ts`, no API changes)
- `sinon` 21 → 22 (`@types/sinon` not yet published for 22, staying on 21)
- `@types/vscode` ~1.110.0 → ~1.115.0 to align with `engines.vscode`
  ^1.114.0 (1.114 isn't published; 1.115 is the closest matching patch
  series). I held off bumping `engines.vscode` itself this round.
- Various minor/patch bumps: `@vscode/extension-telemetry`, `semver`,
  `@vscode/vsce`, `@types/node`, `@ungap/structured-clone`, `eslint`,
  `prettier`, `typescript`, `typescript-eslint`.

Skipped `@types/node` 25 (we're pinned to 22 to match Electron 39 / Node
22 in VS Code 1.114) and `untildify` 6 (ESM-only, we're CJS).

The `serialize-javascript` and `diff` overrides are still required —
mocha pulls in vulnerable transitive versions otherwise. I verified
both: removing either re-introduces the advisories. `npm audit` is
clean.

Resolves the two open Dependabot alerts:
- #86: `uuid` missing buffer bounds check in `v3`/`v5`/`v6` (fixed by
  the bump to `uuid` 14, which also pulls a patched 13.x transitively).
- #87: `fast-uri` path traversal / host confusion (now on 3.1.2 via
  `@vscode/vsce` 3.9.1 → `@secretlint/node` → `ajv`).

Verified `npm run compile`, `npm run lint`, `npm run format`, and
`npm audit` all pass.

Drafted by Copilot (Claude Opus 4.7).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: andyleejordan