Fixing VS code issues

[Ibrahimrahhal]

• Vulnerability descriptions containing </script> (common in XSS-related CVEs) were breaking the inline script tag in the webview HTML, preventing acquireVsCodeApi() from executing
• Added _safeJsonStringify() to escape < and > as unicode escapes (\u003c/\u003e) when embedding JSON data in script tags
• We'd a race condition where we might load the app before the vs code api so moved the acquireVsCodeApi() inline script before the module script and added a redundant call in the React entry point

[corgea]

🐕 Corgea found the following new SCA issues in the codebase:

Package	CVE	Severity	Version	Fixed Version	Ecosystem	Summary
simple-git	CVE-2026-28292	CRITICAL	3.27.0	3.32.3	npm	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
flatted	CVE-2026-33228	HIGH	3.3.2	3.4.2	npm	Prototype Pollution via parse() in NodeJS flatted
rollup	CVE-2026-27606	HIGH	4.46.2	4.59.0	npm	Rollup 4 has Arbitrary File Write via Path Traversal
tar	CVE-2026-23950	HIGH	7.4.3	7.5.4	npm	Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
minimatch	CVE-2026-26996	HIGH	10.0.1	10.2.1	npm	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
tar-fs	CVE-2025-48387	HIGH	2.1.2	2.1.3	npm	tar-fs can extract outside the specified dir with a specific tarball
underscore	CVE-2026-27601	HIGH	1.13.7	1.13.8	npm	Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
serialize-javascript	N/A	HIGH	6.0.2	7.0.3	npm	Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
axios	CVE-2025-27152	HIGH	1.7.9	1.8.2	npm	axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
glob	CVE-2025-64756	HIGH	11.0.1	11.1.0	npm	glob CLI: Command injection via -c/--cmd executes matches with shell:true

Showing 10 out of 52 findings. See full results

[yhoztak]

LGTM