v1.2.2

Backport shared plugin-updater hardening (from jpkcom-acf-jobs / creationell-captcha audit).

Security fixes:
- Prefer exact match against manifest download_url over the slug heuristic
  so a tampered manifest cannot bypass the checksum gate.
- Timing-safe checksum comparison via hash_equals() with an is_string()
  guard against hash_file() === false.
- Manifest fetch via wp_safe_remote_get() (SSRF defense-in-depth).

Compatibility fixes:
- Contributors now provide display_name (no PHP warning, names shown in
  the plugin detail popup).
- no_update transient entry now carries new_version, package, tested and
  requires_php (no warning/deprecation on wp plugin list).