chore(deps)(deps): bump vue-router from 4.6.4 to 5.0.7 in /webui

[dependabot]

Bumps vue-router from 4.6.4 to 5.0.7.

Release notes

Sourced from vue-router's releases.

v5.0.7

   🚀 Features

• Upgrade to babel 8  -  by @​posva (8d3e6)
• Make defineParamParser() more intuitive  -  by @​posva (8715b)
• Upgrade @vue/devtools-api  -  by @​posva (87c3a)
• matcher: Hint at params: {} workaround in discarded params warning  -  by @​posva and shanliuling in vuejs/router#2689 (c2b13)
• param-parsers: Add include/exclude options  -  by @​posva (91cde)

   🐞 Bug Fixes

• matcher:
  • Finalize param token before processing escaped colon  -  by @​babu-ch and @​posva in vuejs/router#2654 (20521)
• query:
  • Use Object.create(null) to prevent prototype pollution  -  by @​wdskuki, wdsmini and @​posva in vuejs/router#2661 (be88c)
• resolve:
  • Omit empty optional params from resolved params  -  by @​babu-ch and @​posva in vuejs/router#2434 (1ef09)
• types:
  • Wire RouteNamedMap via generated routes.d.ts  -  by @​posva in vuejs/router#2700 (aef99)
• unplugin:
  • Avoid generating empty routes  -  by @​FrontEndDog and @​posva in vuejs/router#2642 (10a8b)
  • Apply definePage path-param parser overrides  -  by @​posva in vuejs/router#2699 (c8074)
• volar:
  • Drop runtime @vue/language-core import  -  by @​danielroe in vuejs/router#2710 (8af50)

    View changes on GitHub

v5.0.6

   🐞 Bug Fixes

• Missing closing quote in generated import  -  by @​zjy040525 and @​posva in vuejs/router#2688 (32f78)

    View changes on GitHub

v5.0.5

   🚀 Features

• Enable standard schema param parsers  -  by @​posva (ea8e3)
• Normalize param parsers once  -  by @​posva (48087)

   🐞 Bug Fixes

• Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
• Avoid double decoding hash on string location  -  by @​posva (1578c)

    View changes on GitHub

v5.0.4

   🐞 Bug Fixes

... (truncated)

Commits

• ddd20c3 release: vue-router@5.0.7
• 91cdec3 feat(param-parsers): add include/exclude options
• 8af50c9 fix(volar): drop runtime @vue/language-core import (#2710)
• b840cd6 chore(ci): set least-privilege workflow token permissions (#2708)
• 51c1672 chore(release): use @​clack/prompts
• af77a7c chore: playground param type
• 641200a refactor(param-parsers): simplify defineParamParser
• 9b9896e chore: comments
• d41897b refactor: wip of defineParamParser
• 17d51fb chore: logs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, frontend. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[ZeroPointSix]

总体结论：这个 PR 是 vue-router 4.6.4 -> 5.0.7 的 major 升级，当前改动没有被有效 review 覆盖；从 diff 看它不仅升级路由库，还引入了 Babel 8 RC、unplugin、chokidar 5 等新依赖和更高 Node engine 要求，建议不要在缺少 webui 构建验证的情况下直接合并。

关键发现：

• 高：仓库现有 .github/workflows/ci.yml 只跑 Python lint/test，没有执行 webui 目录下的 npm ci、npm run type-check 或 npm run build。因此这个前端 major 升级即使 PR 检查通过，也不能证明路由、类型检查和 Vite 构建可用。建议在合并前至少对本 PR 的 head 执行 cd webui && npm ci && npm run build，并最好把 webui build 加入 PR CI。
• 高：package-lock.json 显示 vue-router@5.0.7 新增的依赖包含 @babel/generator@8.0.0-rc.5，其 engine 要求为 ^22.18.0 || >=24.11.0；同时 @vue-macros/common、chokidar@5、unplugin@3 等依赖也要求 Node >=20.19.0 或类似范围。webui/package.json 当前没有声明 engines，CI 也没有固定 Node 版本。如果 Docker/部署/本地构建仍使用较旧 Node，可能出现安装警告、engine-strict 失败或构建失败。建议明确 webui 支持的 Node 版本，并用同一版本跑构建验证。
• 中：vue-router 的 peer 约束从 vue: ^3.5.0 提升到 vue: ^3.5.34，lockfile 同时把 Vue 解析到了 3.5.34，但 webui/package.json 仍声明 vue: ^3.5.13。这在当前 lock 下可工作，但后续重新安装时约束表达不够直观。建议同步把 vue 显式提升到满足 router peer 的版本，或说明为什么保持较宽范围是有意设计。
• 中：PR 只改依赖和 lockfile，没有说明是否检查过现有路由定义、动态参数、query/hash 行为与导航守卫。vue-router major 升级涉及 matcher、params、resolve/query 等行为变化，建议至少做一次核心页面导航回归检查。

优先级建议：

• 阻塞：补充 webui 的安装、类型检查和构建验证；确认构建 Node 版本满足新增依赖 engine。
• 高：确认 vue-router 5 对现有路由、params/query/hash 使用没有破坏性影响。
• 中：同步或解释 vue 版本声明与 router peer 约束。

后续建议：

• 如果这个前端会随主仓库发布，建议给 PR CI 增加独立 webui job：固定 Node 版本、执行 npm ci、npm run type-check/npm run build。这样后续 Dependabot 前端升级不会只被 Python CI 误判为安全。