Fix 29 audit findings across all severity tiers

Critical: fix unsquashfs arg order, quote Exec paths with spaces,
fix compare_versions antisymmetry, chunk-based signature detection,
bounded ELF header reads.

High: handle NULL CVE severity, prevent pipe deadlock in inspector,
fix glob_match edge case, fix backup archive path collisions, async
crash detection with stderr capture.

Medium: gate scan on auto-scan setting, fix window size persistence,
fix announce() for Stack containers, claim lightbox gesture, use
serde_json for CLI output, remove dead CSS @media blocks, add
detail-tab persistence, remove invalid metainfo categories, byte-level
fuse signature search.

Low: tighten Wayland env var detection, ELF magic validation,
timeout for update info extraction, quoted arg parsing, stop watcher
timer on window destroy, GSettings choices/range constraints, remove
unused CSS classes, define status-ok/status-attention CSS.

src/core/duplicates.rs

@@ -330,9 +330,12 @@ fn build_name_group(name: &str, records: &[&AppImageRecord]) -> DuplicateGroup {
 
 /// Compare two version strings for ordering.
 fn compare_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    use super::updater::version_is_newer;
+    use super::updater::{clean_version, version_is_newer};
 
-    if a == b {
+    let ca = clean_version(a);
+    let cb = clean_version(b);
+
+    if ca == cb {
         std::cmp::Ordering::Equal
     } else if version_is_newer(a, b) {
         std::cmp::Ordering::Greater