Update flow to 25.1.1

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:npm/brace-expansion@2.0.3 [CVE-2026-33750] (osv-scan)
    ·

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/serialize-javascript@6.0.2 [GHSA-5c6j-r48x-rmvq] (osv-bomber)
    👌 This is a transitive dependency from workbox:7.4.0. We keep on tracking this issue Vulnerability: Update dependency @rollup/plugin-terser@0.4.4 that relies on vulnerable version serialize-javascript <=7.0.2 GoogleChrome/workbox#3470
    ·
  • Vulnerabilities in: pkg:npm/glob@11.1.0 [CVE-2025-64756] (oss-bomber)
    👌 False positive: based on the CVE statement, version 11.1.0 should out of the affected version range
    ·
  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
    👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
    · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
    · cpe:2.3:a:ada:ada::::::::

• 📔 No Core License Issues

• 📔 No License Issues

• 🟠 Changes in 25.1-SNAPSHOT since V25.1.0-rc2

  • 161 packages modified (51 external, 110 vaadin)
  • 750 packages same (625 external, 125 vaadin)

[Click for more Details]