Bug report: DOM XSS in web worker via jsonpath-plus

[nickcopi]

Describe the bug
XSS is possible in CyberChef via jsonpath-plus jpath evaluations. After working with Google to fix a case where they had similar exposure, they were able to motivate the maintainer to return to the library after announcing he was leaving in February and release a patch to prevent this.

To Reproduce
Steps to reproduce the behavior or a link to the recipe / input used to cause the bug:

1. Go to https://gchq.github.io/CyberChef/#recipe=JPath_expression('$.entry%5B?((%5C'%5C'.sub.constructor(%5C'console.log%601337%60%5C')()))%5D.resource.class.code','%5C%5Cn')&input=eyJlbnRyeSI6W3sicmVzb3VyY2UiOnsicmVzb3VyY2VUeXBlIjoiYmxhaCJ9fV19&ieol=CRLF
2. Open chrome devtools and observe that console.log`1337` executed in the context of the web worker.

Expected behaviour
Untrusted user JSON paths should not lead to arbitrary JS evaluation. Bump up to the jsonpath-plus version to the patched version.

Screenshots

Desktop (if relevant, please complete the following information):

• OS: Windows 10
• Browser: 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
• CyberChef version: Version 10.19.2

Additional context
Add any other context about the problem here.