Bump dompurify to avoid XSS vuln

I think this would be impossible to exploit in practice, since the
only untrusted markdown we parse are the API specs from our DB, but
now the exploit is public this could plausibly be exploited in a
future API spec DB update.

Bumping this neatly avoids that risk. Note that API specs are only
updated manually, not through any kind of automatic fetching, so an
attacker would have had to include this attack in a spec before it was
published, and AFAICT no existing specs contain any such injections.

Author: pimterry