Update vulnerable client-side libraries and resource manifests

[MikeAlhayek]

PR description

Summary

Addresses the “Vulnerable Client-Side Library Discovered (Medium)” finding from the 2026 web application penetration test by upgrading the affected client-side libraries and refreshing the related OrchardCore resource metadata.

Changes in this PR

• Upgraded jQuery UI from 1.12.1 to 1.14.2
• Upgraded Vue 2 from 2.6.14 to 2.7.16
• Upgraded Monaco Editor from 0.46.0 to 0.52.2
• Updated local vendor assets and generated wwwroot output
• Updated resource manifest version metadata, CDN URLs, and SRI hashes
• Updated Monaco-related editor integration for compatibility with newer Monaco APIs
• Resolved merge conflicts and rebuilt the affected frontend assets

Why Monaco was updated to 0.52.2 instead of 0.55.1

Monaco 0.55.1 is newer, but it introduces a different worker/module architecture that is not compatible with OrchardCore’s current AMD-based Monaco integration. In practice, that caused runtime failures in the admin editor, including worker loading issues and missing language-service handlers.

Monaco 0.52.2 is the highest version that preserves the older AMD-compatible structure OrchardCore expects, while still remediating the security concern that triggered this work.

Specifically:

• The original issue came from Monaco 0.46.0 bundling DOMPurify 3.0.5
• Monaco 0.52.2 upgrades the bundled DOMPurify to 3.1.7
• This removes the vulnerable DOMPurify version without breaking OrchardCore’s Monaco-based admin editors
• Monaco 0.55.1 was evaluated, but it caused editor worker/runtime regressions and was therefore not adopted

Resource/CDN updates

This PR also updates the related OrchardCore resource definitions so the library metadata stays accurate:

• jQuery UI CDN updated to 1.14.2
• Vue 2 CDN updated to 2.7.16
• SRI hashes refreshed for the updated CDN-hosted jQuery UI and Vue 2 assets

Monaco is served from local OrchardCore assets rather than a CDN, so there is no Monaco CDN/SRI entry to update in the resource manifest.

Result

This change remediates the vulnerable client-side library finding while preserving working OrchardCore admin editor behavior.

I reviewed comment from #15666 and ensure that there is no console errors on the UI such as Templates editor UI.

[Skrypt]

We need to refactor the Monaco Editor in OC. Probably with ESM.

[MikeAlhayek]

We need to refactor the Monaco Editor in OC. Probably with ESM.

@Skrypt I think that would be required to upgrade to 0.55.1 which is outside the scope of this PR. This PR is to fix the vulnerability found in the packages but keep things as is.

[Skrypt]

We don't have functional tests much to rely on to make sure these still work. I guess that we need to trust that nothing is broken. Merge it but beware regressions. 😉

[MikeAlhayek]

Yeah. I poked around to make sure nothing is broken but feel free to test it as well.

[gvkries]

Some time ago I tried to update Monaco to v55, but as far as I remember, I couldn't get our Liquid functionality running correctly as before. So I stopped working on it.

[MikeAlhayek]

@gvkries provably because of the loader. This PR upgrades it to 0.52.2 which is the last version before they change how the loader work. 0.52.2 is the latest compatible version with out the vulnerability.

If you can, please test drive it to see if you can repo the issue you had when you tried to upgrade it then

[gvkries]

I think you're right, this version is from before the problematic changes. I just did a quick check and the Liquid Intellisense worked as expected.