jupyterlab-git: Stored XSS via unsanitized filenames in PlainTextDiff.ts

A stored XSS vulnerability was found in jupyterlab-git's PlainTextDiff.ts createHeader() method. It passes Git filenames directly to innerHTML without sanitization when rendering rename diffs, enabling RCE in the victim's JupyterLab session.

Users of JupyterLab with jupyterlab-git installed who clone or pull repositories from shared sources and view rename diffs in the Git History tab.

Update jupyterlab-git to a patched version once available, or mitigate by replacing innerHTML with textContent or sanitizing filenames in PlainTextDiff.ts createHeader().