feat: add vulnerability quick-fix + hint

[nitodeco]

Closes #24

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request implements vulnerability code actions for the extension. It adds a new timeout constant for vulnerability fetches, integrates a code action provider in the main extension entry point, and creates a VulnerabilityCodeActionProvider that offers QuickFix actions to update package versions. The vulnerability diagnostic system is enhanced to extract fixed-in version information from API responses, determine the best available fixed version, and propagate this data through diagnostic messages and codes. The VulnerabilitySummary interface is extended with an optional fixedIn field to support this new functionality.

Suggested reviewers

• 9romise

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description references issue #24 and includes screenshots demonstrating the vulnerability quick-fix feature with version recommendations.
Linked Issues check	✅ Passed	The PR successfully implements all objectives from issue #24: surfacing earliest safe versions in vulnerability warnings, providing the minimum upgrade version, and enabling quick-fix code actions for version updates.
Out of Scope Changes check	✅ Passed	All changes align with the PR objectives: constants for timeout, code action provider for vulnerability fixes, diagnostic enhancements with fixed-in versions, and API interface updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/providers/code-actions/vulnerability.ts (1)

47-51: Minor: Redundant parseVersion call on fixedInVersion.

The fixedInVersion extracted from the diagnostic code is already a raw semver string (e.g., "16.1.5"), so parseVersion(fixedInVersion)?.semver will return the same value. While this works correctly, it's slightly redundant.

♻️ Optional simplification

       const currentVersion = document.getText(diagnostic.range)
       const currentSemver = parseVersion(currentVersion)?.semver
-      const fixedSemver = parseVersion(fixedInVersion)?.semver ?? fixedInVersion
-      if (currentSemver && currentSemver === fixedSemver)
+      if (currentSemver && currentSemver === fixedInVersion)
         return []

[9romise]

Diagnostic.code.value is user-facing in VS Code (it shows up in the Problems UI / diagnostic display). Encoding vulnerability|<fixedInVersion> here will likely confuse users because it looks like an implicit error code.
I’d recommend keeping it as vulnerability and passing the fix-version through a non-user-facing channel (or deriving it from the message) so the Quick Fix can still work without polluting the UI.