Fixes #320890

[sciafri]

Fixes #320890

Updates the resolved version of shell-quote from 1.8.3 to 1.8.4 in package-lock.json and remote/package-lock.json.

shell-quote <= 1.8.3 is affected by CVE-2026-9277 a command injection issue. The fix is resolved in shell-quote1.8.4.

shell-quote is pulled in by @vscode/sandbox-runtime (^1.8.3) in both the desktop and remote trees, and by npm-run-all2 (^1.7.3) at build time. All declared ranges already allow 1.8.4, so this is a lockfile-only change; no package.json updates are needed. The remote lockfile matters in particular since that tree ships with the server build.

How to test:

• npm ls shell-quote in the repo root and in remote/ reports 1.8.4 with no invalid markers
• npm ci installs cleanly from the updated lockfiles
• npm run compile succeeds
• npm run test-node passes - 10913 passing, 186 pending, 0 failing

Verified all of the above locally on Linux.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• remote/package-lock.json: Language not supported

[sciafri]

@microsoft-github-policy-service agree

[dmitrivMS]

We don't allow contributions to change package[-lock].json.