update copilot to 25.1.1

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/org.codehaus.plexus/plexus-utils@3.6.0 [CVE-2025-67030] (osv-bomber,osv-scan)
    ·
  • Vulnerabilities in: pkg:npm/serialize-javascript@6.0.2 [GHSA-5c6j-r48x-rmvq, CVE-2026-34043] (osv-bomber,oss-bomber,osv-scan)
    👌 This is a transitive dependency from workbox:7.4.0. We keep on tracking this issue Vulnerability: Update dependency @rollup/plugin-terser@0.4.4 that relies on vulnerable version serialize-javascript <=7.0.2 GoogleChrome/workbox#3470
    ·

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/glob@11.1.0 [CVE-2025-64756] (oss-bomber)
    👌 False positive: based on the CVE statement, version 11.1.0 should out of the affected version range
    ·
  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
    👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
    · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
    · cpe:2.3:a:ada:ada::::::::

• 📔 No Core License Issues

• 📔 No License Issues

• 🟠 Changes in 25.1-SNAPSHOT since V25.1.0-rc2

  • 1 packages removed (1 external, 0 vaadin)
  • 165 packages modified (55 external, 110 vaadin)
  • 745 packages same (620 external, 125 vaadin)

[Click for more Details]