chore(deps): resolve all npm audit vulnerabilities (22 -> 0) (#18)

Dev/publish tooling only — none of these dependencies ship in the bundled
extension (the runtime is bundled via esbuild; the audit surface was the
build, test, and publish chains).

- Most advisories cleared by `npm audit fix` (semver-compatible bumps:
  ajv, brace-expansion, fast-uri, flatted, follow-redirects, glob, js-yaml,
  lodash, qs, undici, uuid -> @Azure chain, etc.).
- Replace the deprecated `vsce` (2.x) with the maintained `@vscode/vsce`
  (3.7.x), which still provides the `vsce` binary, so CI's `npx vsce
  package` / `npx vsce publish` keep working. This also clears the stale
  brace-expansion advisory carried by vsce 2.x.
- Move `ovsx` and `@vscode/vsce` to devDependencies (publish tools are not
  runtime deps).
- Add overrides for the remaining transitive advisories under mocha:
  diff ^8.0.3, serialize-javascript ^7.0.5, and a range-scoped
  brace-expansion@<1.1.13 -> ^1.1.13 (leaves the 2.x/5.x trees untouched).

Verified: `npm audit` reports 0 vulnerabilities; `npm run compile`
(check-types + lint + esbuild) passes; mocha loads and instantiates with
the overridden diff@8.0.4 / serialize-javascript@7.0.5; `npx vsce package`
produces a valid .vsix.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: paxcalpt