fix: prevent HTML injection in Svelte component generation and remove redundant code

[hobostay]

Summary

Fixed three issues in the codebase:

1. Security Issue - HTML Injection in Svelte Component Generation

In src/project-sync.ts, the generateSvelteComponent function directly inserts the className parameter into HTML attributes without proper escaping.

Before:

export const ${name}WithClass = (className: string) => 
  \`${escapedSvg.replace("<svg", '<svg class="' + '${className}"')}\`;

After:

export const ${name}WithClass = (className: string) => 
  \`${escapedSvg.replace("<svg", '<svg class=""')}`.replace('class=""', 
    \`class="\${className.replace(/"/g, '&quot;')}"\`);

Impact: If a user passes a className containing double quotes (e.g., class-"with"-quotes), it would break the generated HTML structure.

2. Removed Redundant Null Check

In src/icon-utils.ts, the getIconPrefix function had an unnecessary null check since split(":")[0] always returns a string.

3. Removed Unused Return Field

In src/project-sync.ts, the existingName field in addIconToFile's return type was redundant with componentName and was never used.

Test plan

• All existing tests pass (37 pass, 0 fail)
• Build completes successfully

bun test  # 37 pass
bun run build  # Success