Fix spawn of jetls.bat

[visr]

Fixes #339.

There are two separate commits. The first replaces jetls.exe with jetls.bat, as discussed in #332 and previously in #226.

As noted in #339 we can only spawn batch scripts on Windows after setting shell to true, for security considerations. The spawn docs mention:

If the shell option is enabled, do not pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

Users can configure the path with

"jetls-client.executable": {
    "path": "jetls.bat",
    "threads": "auto",
}

I'm not sure there is more to do from a security perspective, because any bad jetls.bat that is earlier on the path, or bad custom path that is entered here can do harm.

https://nodejs.org/api/child_process.html#child_processspawncommand-args-options
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

I'd prefer if Pkg apps would be .exe rather than .bat shims, using something like the Pixi trampoline:

https://pixi.sh/latest/global_tools/trampolines/
https://github.com/prefix-dev/pixi/tree/main/trampoline

But that is more of a Pkg issue.

[aviatesk]

Thank you for investigating and fixing this issue.
Since I don't use Windows, I haven't been able to actually verify the behavior, but I think your investigation and explanations are just accurate.