feat: Create vaadin-dev-flow and vaadin-dev-hilla

[caalador]

vaadin-dev no has vaadin-dev-flow and vaadin-dev-hilla. vaadin-core depends on vaadin-dev-flow to not get hilla if not wanted.

This will make vaadin and vaadin-core backwards compatible with older version where hilla was not a dependency.

Implements part of #5230

Fixes #5260

[github-actions[bot]]

Dependencies Report

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/[email protected] [CVE-2024-26467] (oss-bomber) 👌 This is coming from the tools, @cyclonedx/cyclonedx-npm, we have used for sbom module, FP for us. ·
  • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/[email protected] [CVE-2023-35116] (owasp) 👌 Not a valid CVE report based on the vendor analysis and research · cpe:2.3:a:fasterxml:jackson-databind::::::::
  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-af53d63%2Bcef-104.4.23%2Bg46ae630%2Bchromium-104.0.5112.102 [CVE-2024-21639, CVE-2024-21640] (owasp) 👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::

• 📔 No License Issues

[Click for more Details]

[mshabarov]

An alternative solution is proposed here https://github.com/vaadin/hilla/pull/2383. This PR may become a refactoring PR that doesn't move hilla-dev, but just splits vaadin-dev into two artifacts.

[mshabarov]

This refactoring was proposed to start when we are ready for bigger changes or we have a request from users earlier with a good reason to split to vaadin-dev-flow and vaadin-dev-hilla.