fix: harden external protocol handling and unblock dev:electron

[DIYgod]

Description

• Harden desktop external URL handling by validating URLs, blocking ignored protocols, and requiring confirmation before opening non-HTTP(S) external schemes.
• Keep normal HTTP/HTTPS external opening behavior while preventing unsafe window.open flows tied to the security advisory.
• Fix pnpm dev:electron startup errors by switching to linkedom/worker and aliasing utf-8-validate to a local shim for main-process bundling.

PR Type

• Feature
• Bugfix
• Hotfix
• Other (please describe):

Screenshots (if UI change)

N/A

Demo Video (if new feature)

N/A

Linked Issues

• https://github.com/RSSNext/Folo/security/advisories/GHSA-pqfj-v48p-frh4

Additional context

• Validation run in this workspace: typecheck, lint:fix (warnings only), test, and dev:electron startup.

Changelog

• I have updated the changelog/next.md with my changes.

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

_{This report is generated by SafeDep Github App}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.