1.4.3
Patch release — dependency security.
Clears the 8 Dependabot alerts in the frontend lockfile (npm overrides):
- dompurify 3.4.5 → 3.4.11 (7 advisories; mostly IN_PLACE-mode bypasses not used here — the markdown-view XSS neutralisation was re-verified on 3.4.11)
- markdown-it 14.1.1 → 14.2.0 (smartquotes quadratic-complexity DoS, CVE-2026-48988)
Also bumped from the same dependency tree:
- undici 7.25.0 → 7.28.0 (high; via jsdom, unreachable since DOMPurify makes no network calls)
- @babel/core → 7.29.7 (low, build-time)
npm audit reports 0 vulnerabilities. Container images (backend / worker / frontend) are published to GHCR by CI for this release — pull :1.4.3 and redeploy. Reminder: the worker service must use the *-worker image (bundles the JDK for index signing), never the *-backend image.