[Aikido] Fix 5 security issues in markdown-it, dompurify

[aikido-autofix]

Upgrade markdown-it and dompurify to fix DoS via quadratic regex complexity and template injection XSS vulnerabilities.

✅ There are no breaking changes

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-48988	MEDIUM	[markdown-it] A quadratic time complexity vulnerability in the smartquotes rule allows attackers to cause denial of service by submitting markdown with many consecutive quotation marks when the typographer option is enabled. Processing 160,000 quotes takes over 21 seconds due to inefficient string manipulation in the replaceAt() function.
AIKIDO-2026-36958	LOW	[dompurify] Configuration and hook handling flaws allow security allowlists to be silently widened and enable prototype pollution, permitting unsafe HTML/attributes to survive sanitization and lead to DOM-based XSS attacks.
AIKIDO-2026-11156	LOW	[dompurify] A vulnerability allows attackers to inject template expressions (template-literal, mustache, or ERB fragments) into template elements when using specific configuration options, which can be executed as script during downstream template evaluation. The fix ensures expression scrubbing recursively processes template content, similar to shadow-DOM traversal.
GHSA-vxr8-fq34-vvx9	LOW	[dompurify] A retained Trusted Types policy in reused DOMPurify instances can survive clearConfig() calls, allowing a malicious or unsafe policy set by one caller to be used by a later caller requesting RETURN_TRUSTED_TYPE, resulting in XSS execution at Trusted Types sinks. This affects applications that reuse DOMPurify across trust boundaries without proper state isolation.
GHSA-gvmj-g25r-r7wr	LOW	[dompurify] # Summary When DOMPurify is configured with SAFE_FOR_TEMPLATES: true and DOM return modes (RETURN_DOM, IN_PLACE), attackers can inject template expressions like ${evil} or {{evil}} inside <template> elements by splitting them across removed elements, bypassing sanitization and enabling template injection or XSS. The string output path is unaffected.