chore: bump visual-retrieval-colpali deps to fix Mend CVEs

Whole-manifest sweep of visual-retrieval-colpali to resolve the 18
HIGH/CRITICAL Mend findings flagged in the 2026-05-07 rescan.

Notable bumps in src/legacy-requirements.txt (full sweep, not just
flagged libs):
  accelerate           0.34.2  -> 1.13.0   (CVE-2025-14925)
  python-multipart     0.0.26  -> 0.0.27   (CVE-2026-42561)
  torch                2.8.0   -> 2.11.0   (CVE-2025-55551, CVE-2026-24747)
  transformers         5.0.0   -> 4.57.6   (CVE-2024-1139[2-4],
                                            CVE-2025-1492[0,1,4,6-30])
  huggingface-hub      0.36.0  -> 0.36.2
  tokenizers           0.20.3  -> 0.22.2

pyproject.toml: relax `transformers==5.0.0` to `>=4.57.6,<5.0.0`.
The previous `==5.0.0` pin (added by Renovate PR #1903 / commit
952bb5f) was unsatisfiable because vidore-benchmark[interpretability]
4.0.x requires `transformers<5.0.0` and the application code imports
`vidore_benchmark.interpretability.torch_utils` (interpretability
module was removed in vidore-benchmark 5.0.0). Reverting to the
latest 4.x line yields a resolvable lockfile while still picking up
the silent CVE patches that landed across 4.48 -> 4.57.

Pillow remains at 10.4.0 -- transitively pinned `<11.0.0` by both
colpali-engine 0.3.1 and vidore-benchmark 4.0.x. Lifting it to 12.x
to clear the three pillow CVEs requires migrating off
vidore-benchmark[interpretability] (used by src/backend/colpali.py
and prepare_feed_deploy.py); that's a code refactor and out of scope
for this dep-bump PR.

Supersedes Renovate PR #1908 (python-multipart 0.0.27).

No local tests run; sample-apps integration tests are too heavy for
a dev box. Mend rescan after merge.

Related: VESPANG-3201, VESPANG-3271

Author: odosk

visual-retrieval-colpali/pyproject.toml

@@ -21,7 +21,7 @@ dependencies = [
     "shad4fast>=1.2.1",
     "google-generativeai>=0.7.2",
     "spacy",
-    "transformers==5.0.0",
+    "transformers>=4.57.6,<5.0.0",
     "pip",
     "h11>=0.16.0",
 ]