Security improvements
- Restricted Realtime Database URLs to Firebase-owned hosts and reject non-root URLs with embedded paths, query strings, or fragments while preserving emulator support. Related OWASP Top 10:2025 entry: A02 Security Misconfiguration.
- Updated dependency
mtdowling/jmespath.phpto2.9.2to address CVE-2026-54133