fix: patch 16 security alerts (high+medium+low severity)

[John Kennedy (jkennedyvz)]

Security Alert Patch

Resolves 16 Dependabot security alerts across all severity tiers (5 high, 8 medium, 3 low).

Packages Updated

Package	Old Version	New Version	Strategy	Scope	CVEs Resolved
electron	39.2.7	39.8.6	A (direct bump)	dev + runtime	16

Strategy: A = lockfile-only update (npm update electron), version within existing ^39.2.6 range.

CVE Details

High (5):

• CVE-2026-34774 — Use-after-free in offscreen child window paint callback
• CVE-2026-34780 — Context Isolation bypass via contextBridge VideoFrame transfer
• CVE-2026-34771 — Use-after-free in WebContents fullscreen/pointer-lock/keyboard-lock permission callbacks
• CVE-2026-34770 — Use-after-free in PowerMonitor on Windows and macOS
• CVE-2026-34769 — Renderer command-line switch injection via undocumented commandLineSwitches webPreference

Medium (8):

• CVE-2026-34779 — AppleScript injection in app.moveToApplicationsFolder on macOS
• CVE-2026-34778 — Service worker can spoof executeJavaScript IPC replies
• CVE-2026-34777 — Incorrect origin passed to permission request handler for iframe requests
• CVE-2026-34776 — Out-of-bounds read in second-instance IPC on macOS and Linux
• CVE-2026-34775 — nodeIntegrationInWorker not correctly scoped in shared renderer processes
• CVE-2026-34773 — Registry key path injection in app.setAsDefaultProtocolClient on Windows
• CVE-2026-34772 — Use-after-free in download save dialog callback
• CVE-2026-34767 — HTTP Response Header Injection in custom protocol handlers and webRequest

Low (3):

• CVE-2026-34764 — Use-after-free in offscreen shared texture release() callback
• CVE-2026-34768 — Unquoted executable path in app.setLoginItemSettings on Windows
• CVE-2026-34766 — USB device selection not validated against filtered device list

Linear Tickets

No matching Linear tickets found for the resolved CVEs.

Verification

• All lockfiles regenerated
• Linters pass (0 errors)
• Type check passes

🤖 Submitted by langster-patch