fix: update npm packages

[joneugster]

Update npm packages to address vulnerabilities.

[joneugster]

Apparently there are now more packages after semver that need updating, in particular axios. See CI output.

Unfortunately, I didn't learn in #343 how to create the package-lock correctly

[mhuisi]

Apparently there are now more packages after semver that need updating, in particular axios. See CI output.
Unfortunately, I didn't learn in #343 how to create the package-lock correctly

The simplest way: Revert the changes you made to the package-lock, delete the node_module folders in the root directory, lean4-infoview-api, lean4-infoview, and vscode-lean4, and then re-run the setup steps from the docs.

[joneugster]

I'm sorry I haven't spotted the building instructions myself, but now I followed them.

(I don't fully understand lerna, so I deleted all four package-lock.json and node_module/ before following the building instructions: the ones in the main directory and in all three subdirectories. I believe that's right?)

[mhuisi]

I'm sorry I haven't spotted the building instructions myself, but now I followed them.

No worries, it took me a while to figure out myself.

so I deleted all four package-lock.json and node_module/ before following the building instructions

The package-lock.json files shouldn't be deleted - note that they are checked into the repo as well.

[joneugster]

I thought deleting/regenerating the package-lock.json was part of properly updating npm dependencies, is it not?

[mhuisi]

No. If you want to update dependencies, you should go through npm instead (e.g. via npm outdated and npm update), which manages the lock-file for you.

Generally speaking, we don't always want to update every dependency to its most recent version. In this PR, we only want to update those with vulnerabilities.

[joneugster]

I believe now this looks as it should, and hopefully that means I finally understood all the details.

[mhuisi]

Looks correct now!