Source API version from package.json and validate infoURL protocol

[Copilot]

The GET / endpoint returned a hardcoded version: '1.0.0' regardless of package.json, and showWebsite() in the frontend created anchor elements from data.infoURL without protocol validation, allowing non-http(s) schemes (e.g., javascript:) to be rendered as clickable links.

Changes

• index.js — Replace hardcoded '1.0.0' with pkg.version via JSON import assertion:

  import pkg from './package.json' with { type: 'json' };
  // ...
  version: pkg.version,

• public/app.js — Validate URL.protocol in showWebsite() before creating an anchor; any non-http:/https: scheme or invalid URL falls back to plain text:

  const url = new URL(data.infoURL);
  const protocol = url.protocol;
  if (protocol === 'http:' || protocol === 'https:') {
      // render anchor
  } else {
      webElem.textContent = data.infoURL; // unsafe scheme → plain text
  }

• tests/integration/api.test.js — Update version assertion from '1.0.0' to '1.1.0' to match package.json.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.