security: direct dependency bumps and cloudflare routes migration (#375)

* security(dompurify): sanitize DM bubble output [refs #213]

Made-with: Cursor

* security(dompurify): sanitize mention composer output [refs #213]

Made-with: Cursor

* security(dompurify): bump dompurify [closes #213 #243 #245 #247]

Made-with: Cursor

* security(dompurify): add sanitizer regression tests [refs #213 #243 #245 #247]

Made-with: Cursor

* test(security): fix sanitize regression test typecheck harness

Made-with: Cursor

* test(security): address copilot review on sanitizer regression tests

- Import sanitizeHTML at top of file for the 7 tests that don't need a
  fresh module evaluation. Down from 8 module re-imports + hook
  registrations per file run to 2, addressing the hook-accumulation
  concern raised in PR #371 review.
- Preserve original Object.prototype descriptors for tagNameCheck /
  attributeNameCheck via getOwnPropertyDescriptor and restore them
  exactly (or Reflect.deleteProperty when originally absent), instead
  of unconditionally `delete`-ing in finally.
- Same pattern for the SSR test's globalThis.window override: capture
  the full original descriptor and restore it precisely.
- Inline rationale on why the prototype-pollution test does NOT need
  module re-evaluation (dompurify resolves CUSTOM_ELEMENT_HANDLING
  config at sanitize-call time, not at module init).

* security: rewrite pnpm.overrides to use range floors [closes GHSA-2mjp-6q6p-2qxm GHSA-34x7-hfp2-rc4v GHSA-3v7f-55p6-f55p GHSA-4992-7rv2-5pvq GHSA-737v-mqg7-c878 GHSA-83g3-92jg-28cx GHSA-8qm3-746x-r74r GHSA-8qq5-rm4j-mr97 GHSA-9ppj-qmqm-q256 GHSA-cfw5-2vxh-hr84 GHSA-f23m-r3pf-42rh GHSA-f269-vfmq-vjvj GHSA-mwv9-gp5h-frr4 GHSA-qffp-2rhf-9h96 GHSA-qx2v-qp2m-jg93 GHSA-r5fr-rjxr-66jc GHSA-r6q2-hw4h-h46w GHSA-xxjr-mmjv-4gpg]

Made-with: Cursor

* security(overrides): tighten range floors to caret-bounded majors

Address PR #372 copilot review:

1. Open-ended `>=X.Y.Z` floors could allow a future major release to
   resolve in during a lockfile regen, potentially breaking builds or
   runtime behavior. Convert all `pnpm.overrides` to `^X.Y.Z` to keep
   the security floor while pinning to the current major. Resolved
   versions in pnpm-lock.yaml are unchanged (tar@7.5.13, dompurify@3.4.2,
   picomatch@4.0.4, minimatch@10.2.5, etc.).

2. Aligns the dompurify override (`^3.4.2`) with the direct
   devDependency declaration so the lockfile importer specifier and
   package.json declaration are consistent — addresses the confusing
   `>=3.4.2` vs `^3.4.2` mismatch flagged on pnpm-lock.yaml.

Verified: pnpm install clean, pnpm test 85/85 pass, pnpm run check 0
errors, pnpm run build succeeds, audit shows no regression.

* security: bump vite to ^5.4.21 [closes #235 #236]

Made-with: Cursor

* security: bump @sveltejs/kit [closes #106]

Made-with: Cursor

* chore: bump @sveltejs/adapter-cloudflare for vite 6 compat

Made-with: Cursor

* security: bump wrangler [closes #74]

Made-with: Cursor

* security: bump markdown-it to ^14.1.1 [refs #84 #86 — defensive timeout in follow-up]

Made-with: Cursor

* security: override js-yaml to patched line [closes #51]

Made-with: Cursor

* security: bump @sveltejs/adapter-vercel [closes #95]

Made-with: Cursor

* chore: migrate _routes.json config to adapter-cloudflare 7.x format

Made-with: Cursor

---------

Co-authored-by: spe1020 <sethsager@Seths-MacBook-Air.local>

Author: spe1020

package.json

@@ -1,7 +1,7 @@
 {
   "name": "zap.cooking",
   "license": "MIT",
-  "version": "4.2.356",
+  "version": "4.2.365",
   "private": true,
   "scripts": {
     "dev": "vite dev",
@@ -70,7 +70,7 @@
     "jspdf": "^4.2.1",
     "jsqr": "^1.4.0",
     "libretranslate": "^1.0.1",
-    "markdown-it": "^13.0.1",
+    "markdown-it": "^14.1.1",
     "nostr-tools": "^2.13.0",
     "openai": "^6.16.0",
     "phosphor-svelte": "^1.4.2",
@@ -85,10 +85,10 @@
   },
   "devDependencies": {
     "@capacitor/assets": "^3.0.5",
-    "@sveltejs/adapter-cloudflare": "^7.2.4",
+    "@sveltejs/adapter-cloudflare": "^7.2.8",
     "@sveltejs/adapter-static": "^3.0.10",
-    "@sveltejs/adapter-vercel": "^6.2.0",
-    "@sveltejs/kit": "^2.49.5",
+    "@sveltejs/adapter-vercel": "^6.3.3",
+    "@sveltejs/kit": "^2.57.1",
     "@sveltejs/vite-plugin-svelte": "^3.1.2",
     "@tailwindcss/forms": "^0.5.10",
     "@tailwindcss/postcss": "^4.1.13",
@@ -112,16 +112,17 @@
     "tailwindcss": "^4.1.0",
     "tslib": "^2.4.1",
     "typescript": "^5.0.0",
-    "vite": "^5.0.0",
+    "vite": "^5.4.21",
     "vite-plugin-node-polyfills": "^0.24.0",
     "vitest": "^2",
-    "wrangler": "^4.42.0"
+    "wrangler": "^4.87.0"
   },
   "packageManager": "pnpm@9.12.1+sha512.e5a7e52a4183a02d5931057f7a0dbff9d5e9ce3161e33fa68ae392125b79282a8a8a470a51dfc8a0ed86221442eb2fb57019b0990ed24fab519bf0e1bc5ccfc4",
   "pnpm": {
     "overrides": {
       "tar": "^7.5.13",
       "lodash": "^4.18.0",
+      "js-yaml": ">=4.1.1",
       "undici": "^7.24.0",
       "defu": "^6.1.5",
       "devalue": "^5.6.4",