[Snyk] Security upgrade onnxruntime-web from 1.14.0 to 1.16.0

[sestinj]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• core/vendor/modules/@xenova/transformers/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Arbitrary Code Injection SNYK-JS-PROTOBUFJS-16643421	721
	Arbitrary Code Injection SNYK-JS-PROTOBUFJS-16643442	721

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection

---

Summary by cubic

Upgrade onnxruntime-web from 1.14.0 to 1.16.0 in core/vendor/modules/@xenova/transformers/package.json to address high-severity arbitrary code injection risks via transitive protobufjs. Dependency bump only.

• Dependencies
  • onnxruntime-web: 1.14.0 → 1.16.0 (fixes SNYK-JS-PROTOBUFJS-16643421 and SNYK-JS-PROTOBUFJS-16643442)

^{Written for commit 83c241f. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

[continue]

Docs Review: No Updates Needed

This PR is a security upgrade of an internal vendored dependency (onnxruntime-web 1.14.0 → 1.16.0). Since this change:

• Affects only an internal vendored package
• Does not change any user-facing APIs or behavior
• Has no impact on developer configuration or usage

No documentation updates are required.