Upgrade vis-network from 8.5.5 to 10.0.3

[alistair3149]

Closes #77.

Bumps the bundled vis-network library 5 years forward (8.5.5 → 10.0.3) via the foreign-resources mechanism added in #99. About +22 KB to the bundle, plus a long tail of upstream fixes.

Summary

Two changes in one commit:

resources/lib/foreign-resources.yaml — bump version, src (npm tarball), integrity (sha384), and purl to vis-network 10.0.3. The tarball structure, license (Apache-2.0 OR MIT), homepage, authors, and dest-map paths are unchanged from 8.5.5; the LICENSE files inside the tarball are byte-identical between versions, so they don't appear in the diff.

resources/js/NetworkData.js — build the node tooltip as an HTMLElement instead of a string with HTML markup. v9.0.0 (visjs/vis-network#1275, Jan 2021) was an XSS fix that made node.title plain-text by default; passing an HTMLElement is the upstream-supported way to retain HTML rendering. The element is assembled with createTextNode for user-supplied content (page title, displayTitle) and <i> wrappers for the parts the extension adds (the (real title) and (redirect) suffixes). Because user-supplied content is never set via innerHTML, this is XSS-safe by construction — strictly safer than 8.5.5's old behaviour, where a wiki page with < or > in its {{DISPLAYTITLE}} would break out of the tooltip's HTML context.

Audit of breaking changes 8.5.5 → 10.0.3

I went through release notes for all 24 releases between 8.5.6 and 10.0.3:

• v9.0.0 — XSS fix that changed node.title from "string interpreted as HTML" to "string interpreted as plain text". Addressed here.
• v10.0.0 — packaging change (CJS/ESM dual). Transparent for our UMD-standalone consumption.
• All other minors (8.5.6, 9.0.x, 9.1.x, 10.0.1–10.0.3) — bug fixes, type fixes, dependency bumps. None affect the vis-network surface this extension uses (new vis.Network, new vis.DataSet, .update, .get, the doubleClick/hold/select/zoom/dragEnd events, node.image / node.shape: 'image' / node.label / node.title, groups[*].image).

Test plan

• php maintenance/run.php manageForeignResources verify --extension Network — exits 0 (the on-disk bytes match the declared integrity)
• composer phpunit — 36/36
• vendor/bin/phpcs -p -s — clean
• vendor/bin/phpstan analyse — No errors
• vendor/bin/psalm — No errors found
• Browser smoke on the local Network test page:
  • Networks render with the new vis-network 10
  • Hover on a regular node shows just the displayTitle as plain text
  • Hover on a redirect (FooRedirect → Foo) shows the target with italicised (redirect) suffix
  • Hover on a page with {{DISPLAYTITLE:foo}} (where displayTitle ≠ page title) shows the displayTitle with italicised (Foo) suffix
• CI: 5 PHPUnit matrix rows + static-analysis (with manageForeignResources verify) + code-style pass

The image-shape branch (Title Icon-rendered nodes) is unchanged by v9+ — node.image and node.shape: 'image' are independent of the tooltip code path. Verified by source audit of v10's Popup and DataSet pipelines; not exercised in the local browser test because the Title Icon extension isn't installed in the dev wiki.