fix(settings): prevent overwrites

[billxinli]

Fixed an issue in which the apiKey is over writing other fields in the settings config

[socket-security-staging]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm glob under BlueOak-1.0.0 License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (npm metadata) License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/LICENSE.md) License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/package.json) From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/glob@11.1.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/glob@11.1.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm jws is now published by julien.wollscheid Author: julien.wollscheid From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/jws@3.2.3 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/jws@3.2.3. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm minimatch under BlueOak-1.0.0 License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (npm metadata) License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/LICENSE.md) License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/package.json) From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/minimatch@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/minimatch@10.1.1. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[billxinli]

This is throwing errors if there exists a directory called settings

[bmeck]

there shouldn't be a directory called that, did something make that a directory? technically, we should "own" that directory according to the various OS conventions, so if we don't see it in the wild we should leave this for now as I'm not going to be defensive; can't delete existing user stuff so error seems apt

[billxinli]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn
License policy violation: npm glob under BlueOak-1.0.0
License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (npm metadata)

License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/LICENSE.md)

License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/package.json)

From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/glob@11.1.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

_Mark the package as acceptable risk_. To ignore this alert only
in this pull request, reply with the comment
`@SocketSecurity-Staging ignore npm/glob@11.1.0`. You can
also ignore all packages with `@SocketSecurity-Staging ignore-all`.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the [triage state of this alert](https://socket-staging.dev/dashboard/org/SocketDev/diff-scan/d727def4-cc7d-4555-a247-72df416bf0aa?tab=alerts&alert_item_key=Q5vAwViaLd5UyQzksxejHZaPOjY5gBNvOhSomQMoyNtg).

Warn
Publisher changed: npm jws is now published by julien.wollscheid
Author: julien.wollscheid

From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/jws@3.2.3

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

_Mark the package as acceptable risk_. To ignore this alert only
in this pull request, reply with the comment
`@SocketSecurity-Staging ignore npm/jws@3.2.3`. You can
also ignore all packages with `@SocketSecurity-Staging ignore-all`.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the [triage state of this alert](https://socket-staging.dev/dashboard/org/SocketDev/diff-scan/d727def4-cc7d-4555-a247-72df416bf0aa?tab=alerts&alert_item_key=Q-2EMNDRwnYDV1saBjTUpjfLasi1bZdrMsmLTRBZyUuo).

Warn
License policy violation: npm minimatch under BlueOak-1.0.0
License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (npm metadata)

License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/LICENSE.md)

License: BlueOak-1.0.0 - the applicable license policy does not allow this license (4) (package/package.json)

From: package-lock.json → npm/@vscode/vsce@3.6.0 → npm/minimatch@10.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

_Mark the package as acceptable risk_. To ignore this alert only
in this pull request, reply with the comment
`@SocketSecurity-Staging ignore npm/minimatch@10.1.1`. You can
also ignore all packages with `@SocketSecurity-Staging ignore-all`.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the [triage state of this alert](https://socket-staging.dev/dashboard/org/SocketDev/diff-scan/d727def4-cc7d-4555-a247-72df416bf0aa?tab=alerts&alert_item_key=QBOYsLFMlv8FnOeCgJlSYTqf7_EwhMod37Gro5acsOEo).

View full report

Probably need to pin some of these deps to when it is still MIT.

[bmeck]

LGTM lets cut a release after this lands

[bmeck]

The license policy is ok for now; adding exception

[billxinli]

LGTM lets cut a release after this lands

👍 I don't have permission to merge, but I think this is good to go. I didn't see any tests in this repo.