chore(deps): bump the prod-dependencies group across 1 directory with 2 updates

[dependabot]

Bumps the prod-dependencies group with 2 updates in the / directory: @sap/cds and onnxruntime-web.

Updates @sap/cds from 9.9.0 to 9.9.1

Updates onnxruntime-web from 1.24.3 to 1.26.0

Release notes

Sourced from onnxruntime-web's releases.

1.26.0

n.b. The following was generated via LLM from Git history. Only the contributor list has been verified.

ONNX Runtime Release 1.26.0

Announcement - Breaking Changes

• Support for CUDA 12 will be removed in 1.27.0.
  • CUDA 13 will continue to be published as onnxruntime-<os>-<arch>-gpu_cuda13-<version>.<ext>
• CUDA runtime will be moving soon to a dedicated Execution Provider (EP) instead of a published package from ORT core.

Highlights

• Added optional memory mapping for .ort model loads (#28164).
• Added RISC-V Vector (RVV) support for CPU EP (#28261).
• OpenVINO EP upgraded for 1.26.0 development release (#28297).
• WebGPU gained GridSample support (#28264) and Split-K improvements (#28151).
• CUDA plugin EP gained graph support (#28002), profiling API (#28216).

Security and Reliability Hardening

• Replaced unrestricted Python setattr configuration with an allowlist (#28083).
• Hardened multiple OOB and overflow scenarios across ML and core ops:
  • Attention mask index OOB write (#27789).
  • MaxPoolGrad indices bounds validation (#27903).
  • SVM and TreeEnsemble bounds/security fixes (#27950, #27951, #27952, #27989).
  • RNN sequence_lens OOB read and integer overflow handling (#28052, #28003).
  • GroupQueryAttention seqlens_k bounds validation and compatibility follow-up (#28031, #28259).
  • MatMulBnb4 and ML coefficient SafeInt checks (#27995, #28001).
  • CUDA Gather int32 overflow fix (#28108).
  • GridSample float->int64 cast hardening for NaN/Inf/out-of-range coords (#28302).
• Fixed session logger use-after-free during EP teardown under verbose logging (#28274).

CUDA, Attention, and MLAS

• Filled CUDA opset/operator gaps and extended support:
  • Transpose opset 23 -> 25 (#27740).
  • QuantizeLinear/DequantizeLinear opset 25 (#28046).
  • CUDA TopK INT8/INT16/UINT8 support (#27862).
  • LabelEncoder CUDA support for numeric types (#28045).
• Attention/GQA improvements:
  • Fixed ONNX Attention min-bias alignment crash on SM<80 and masked-batch NaN behavior (#27831).
  • Added FP32 QK accumulation path for unfused GQA attention (#28198).
  • Added CUDART_VERSION reduction compatibility in GQA attention (#28296).
  • Fixed CUDA 13 build error in GQA unfused attention (#28309).
  • PagedAttention fallback for SM<80 fp16 (#28200).
• MLAS updates:
  • FP16 Gelu enablement (#26815).
  • Arm64 BF16 fast-math conv kernels for NCHW/NCHWc paths (#27878).

... (truncated)

Commits

• 8c546c3 1.26.0 - cherry-pick for RC2 (#28347)
• 55c5c82 GridSample: harden float->int64 casts against NaN/Inf/out-of-range coords (#2...
• 60ce9cc Relax GQA seqlens_k shape validation for backward compat with older models (#...
• d02a0fd Fix DoubleQDQPairsRemover adding spurious dimension to scalar scale/zero-poin...
• 9b30f30 remove weights_are_all_positive_ from TreeEnsemble (#27552)
• 5f2f848 fix(ci): incorrect relative template includes for setup-feeds (#28312)
• de2bc90 Add QNN Plugin EP repo link to README (#28225)
• 8dd4a06 Include license file in built distributions (#27783)
• 6e19374 Fix CUDA 13 build error in gqa_unfused_attention.cu (#28309)
• d6c363c [OVEP] OpenVINO EP 1.26.0 Development Release Updates (#28297)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by erscor, a new releaser for onnxruntime-web since your current version.