chore(deps): rebase + sweep visual-retrieval-colpali deps (fixes accelerate CVE-2025-14925)

Re-runs bump_requirements.py on visual-retrieval-colpali/src/legacy-requirements.txt
on top of latest origin/master so the PR is mergeable again. The prior commit
(6acd221) had drifted 4 days behind master and conflicted on starlette
(Renovate's CVE bump 0.49.1 -> 1.0.1 hit master between approval and now).
Resetting the branch to origin/master and re-running the canonical flat-pin
helper yields a single clean commit with 126 bumps, no downgrades, no added
or removed packages.

CVE coverage on this file is unchanged from #1922's approved state:

  accelerate    -> 1.13.0   CVE-2025-14925 (HuggingFace accelerate
                            deserialization RCE) — fix version 1.10.1+
  transformers  -> 5.9.0    >= CVE-2025-14920 firstPatched 5.0.0rc3;
                            CVE-2026-4372 absent at >=5.0.0 per OSV
  torch         -> 2.12.0   keeps the prior bump
  colpali-engine -> 0.3.16
  vidore-benchmark -> 5.0.0
  starlette     -> 1.2.0    >= master's 1.0.1 (CVE fix); no regression

Pillow stays at 12.2.0 (already past CVE-2026-40192 / -42311 / -25990 fix
version — those Mend rows on this repo are stale-in-Mend FPs).

The approved review on the prior head will likely be dismissed by this
force-push. Re-approval needed before merge.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: odosk