fix: exclude static assets from middleware matcher (#510)

* fix: exclude static assets from middleware matcher

The proxy middleware intercepted requests to public static files
(e.g. /bg-pattern.png on the signin page), causing a broken image
icon. Extend the matcher regex to skip common image extensions.

Backport of stacklok/stacklok-enterprise-platform#746.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add ip-address override to resolve GHSA-v2v4-37r5-5v8g

Transitive dep ip-address@10.1.0 (via @modelcontextprotocol/sdk →
express-rate-limit) has a medium severity vulnerability. Override
to >=10.1.1 resolves the Grype and pnpm audit failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: peppescg

src/proxy.ts

@@ -16,5 +16,7 @@ export function proxy(request: NextRequest) {
 
 export const config = {
   // Run on all routes except Next.js internals and static assets
-  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+  matcher: [
+    "/((?!_next/static|_next/image|favicon\\.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+  ],
 };