devbridge-autocomplete: XSS via unescaped formatGroup and formatResult

The default `formatGroup` and `formatResult` functions concatenate values into HTML without escaping, leading to XSS vulnerabilities. Fixed in version 2.0.1.

Applications using devbridge-autocomplete that render attacker-controllable suggestion data, especially those using `groupBy` or `minChars: 0`.

Update devbridge-autocomplete to version 2.0.1 or later to patch the XSS vulnerabilities.