chore: Sync frontend update script with main (#24593)

chore: bump frontend dependency (25.1) (#24530)

vulnerabilities have been found from the version we used in 25.1. let us
update it to the latest version

[CVE-2026-40181](https://nvd.nist.gov/vuln/detail/CVE-2026-40181) React
Router s same-origin redirect with path starting // causes open redirect
via protocol-relative URL reinterpretation
(osv-bomber,oss-bomber,osv-scan)
[CVE-2026-42211](https://nvd.nist.gov/vuln/detail/CVE-2026-42211) React
Router s vendored turbo-stream v2 allows arbitrary constructor
invocation via TYPE_ERROR deserialization leading to Unauth RCE
(osv-bomber,oss-bomber,osv-scan)
[CVE-2026-42342](https://nvd.nist.gov/vuln/detail/CVE-2026-42342) _React
Router vulnerable to DoS via unbounded path expansion in _manifest
endpoint (osv-bomber,oss-bomber,osv-scan)
[CVE-2026-34077](https://nvd.nist.gov/vuln/detail/CVE-2026-34077) React
Router vulnerable to Denial of Service via reflected user input in
single-fetch (osv-bomber,oss-bomber,osv-scan)

chore: bump frontend dependency (25.0) (#24531)

upgrade the frontend dependency to resolve vulnerabilities. 

same as in #24530

chore: upgrade react-router to 7.17.0 (24.10) (#24542)

resolve vulnerabilities listed #24530

chore: upgrade react-router to 7.17.0 (24.9) (#24543)

resolve vulnerabilities listed #24530

chore: upgrade gradle publish-plugin to 1.x (#24512)

chore: upgrade gradle publish-plugin to 1.x (#24512) (CP: 24.10) (#24514

)

This PR cherry-picks changes from the original PR #24512 to branch
24.10.
---
#### Original PR description
> _No description provided in the original PR._

Co-authored-by: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>

chore: upgrade gradle publish-plugin to 1.x (#24512) (CP: 24.9) (#24516)

This PR cherry-picks changes from the original PR #24512 to branch 24.9.
---
#### Original PR description
> _No description provided in the original PR._

Co-authored-by: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>

chore: upgrade testbench to 10.2.0-beta1 (#24445)

fix: clear repeatable read transaction before running access tasks (#…

…24400) (CP: 25.1) (#24426)

This PR cherry-picks changes from the original PR #24400 to branch 25.1.
---
#### Original PR description
> ## Summary
> 
> - Clear the session-scoped transaction **before** running pending
access tasks during session unlock
> - This ensures effects triggered by access tasks see fresh signal
values instead of stale cached values from the repeatable read
transaction
> - Added a unit test to verify that clearing the transaction fallback
allows fresh reads
> 
> ## Details
> 
> When a shared signal is updated concurrently with an ongoing UIDL
request, effects associated with that UI would run with the repeatable
read transaction used for the request. If the transaction cached the old
value, effects would miss the update.
> 
> The fix moves `sessionScopedTransaction = null` to execute before
`runPendingAccessTasks()` instead of after, ensuring access tasks read
fresh values.
> 
> ## Test plan
> 
> - [ ] Existing unit tests pass
> - [ ] New `clearingFallback_allowsFreshReads` test verifies the fix
behavior
> - [ ] Manual test with the reproduction case from the issue
> 
> Fixes #24399
> 
> Slack thread:
https://vaadin.slack.com/archives/C6RAXJATF/p1779368249043829?thread_ts=1779368185.339629&cid=C6RAXJATF
> 
> https://claude.ai/code/session_01QW3F8K4uxGyaUNa9xwoKTR
> 
> ---
> _Generated by [Claude
Code](https://claude.ai/code/session_01QW3F8K4uxGyaUNa9xwoKTR)_

Co-authored-by: Artur Signell <artur@vaadin.com>
Co-authored-by: Claude <noreply@anthropic.com>