Github shows a vulnerability warning against VS Code extensions that have checked in the package-lock.json.

This is a false positive since the module in question is a development dependency and the module is not published with the extension.

See also microsoft/vscode-extension-vscode#106.

We should still eliminate the warning:

• In package.json in the devDependencies section, change the dependency of the vscode module to "vscode": "^1.1.17".
• run npm install
• check in the change.

Here are some extension that show this warning that should be fixed:

• vscode-tslint @egamma
• vscode-jshint @RMacfarlane
• vscode-extension-samples @sandy081
• vscode-languageserver-node @dbaeumer
• vscode-node-debug @weinand @isidorn
• vscode-mock-debug @weinand
• vscode-github-issues-prs @chrmarti
• vscode-azure-account @chrmarti