chore: pin axios version

[sid-bruno]

Description

Pin axios versions in CLI for the recent axios npm supply chain attack

Contribution Checklist:

• I've used AI significantly to create this pull request
• The pull request only addresses one issue or adds one feature.
• The pull request does not introduce any breaking changes
• I have added screenshots or gifs to help explain the change if applicable.
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.

Publishing to New Package Managers

Please see here for more information.

Summary by CodeRabbit

• Chores
  • Pinned axios to an exact version across the workspace to ensure consistent behavior and prevent unexpected version drift.
  • Added a root-level override to enforce the chosen axios release during installs.
  • Set minimum release age to 30 days for package resolution.
  • Minor formatting fix applied to root metadata (ensured newline at end of file).

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3ea164db-239c-42d8-8b96-969d223cc600

📥 Commits

Reviewing files that changed from the base of the PR and between 025faa7 and e1f56bb.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• .npmrc

---

Walkthrough

Root package.json now forces axios@1.13.6 via an overrides entry; several workspace package package.json files change their axios dependency specs to the exact 1.13.6. A new .npmrc key min-release-age=30 was added and root package.json newline was fixed.

Changes

Cohort / File(s)	Summary
Root override package.json	Added overrides entry forcing axios to 1.13.6; file newline at EOF fixed.
Workspace packages packages/bruno-cli/package.json, packages/bruno-electron/package.json, packages/bruno-js/package.json, packages/bruno-requests/package.json, packages/bruno-tests/package.json	Replaced caret-range axios specs (^1.x.x) with exact 1.13.6 in each package's dependencies.
NPM config .npmrc	Added min-release-age=30 configuration entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

size/M

Suggested reviewers

• lohit-bruno
• naman-bruno
• helloanoop

Poem

🔒 We pin the tide, one-thirteen-six true,
Across the workspaces, versions few,
A tiny dot, a newline bright,
Stability snug for build and flight,
Devs sip coffee, CI hums anew.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: pinning axios to a specific version across the codebase in response to a security concern.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Pins axios dependency specifications across several workspaces to reduce exposure to unexpected upstream releases, in response to a reported axios supply-chain incident.

Changes:

• Replace axios caret ranges (^...) with exact versions in multiple workspace package.json files.
• Add a root-level overrides entry for axios.
• Update package-lock.json to reflect the new dependency specs/resolutions.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
packages/bruno-tests/package.json	Pins axios to an exact version for the testbench package.
packages/bruno-requests/package.json	Pins axios to an exact version for the requests package.
packages/bruno-js/package.json	Pins axios to an exact version for the JS package.
packages/bruno-electron/package.json	Pins axios to an exact version for the Electron package.
packages/bruno-cli/package.json	Pins axios to an exact version for the CLI package.
package.json	Adds a repo-level axios override constraint.
package-lock.json	Lockfile updates corresponding to the new pin/override behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 96: Replace the ranged security pin for the axios dependency
("axios":"<=1.13.2") with an exact version pin to prevent version drift; update
the package.json dependency entry for "axios" to a single, exact version string
(e.g., "1.13.2") so installs are deterministic and the supply-chain fix cannot
be bypassed by newer versions.

In `@packages/bruno-requests/package.json`:
- Line 27: The repo has mixed axios versions (packages/bruno-requests pins
"axios": "1.9.0" while CLI packages use 1.8.3), causing the CLI to load two
different axios builds used by makeAxiosInstance (local) and
makeAxiosInstanceForOauth2 (from `@usebruno/requests`); update package dependency
resolution so both sides use the same axios version (preferably 1.9.0), e.g.,
change packages/bruno-requests package.json to the unified version or bump the
CLI packages to 1.9.0, then regenerate the lockfile (npm/yarn/pnpm) to ensure a
single axios is installed and verify behavior of makeAxiosInstance and
makeAxiosInstanceForOauth2 still matches expected multipart/header/fetch error
handling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bdb29b1f-4240-448a-8533-7078d0e04473

📥 Commits

Reviewing files that changed from the base of the PR and between f0866be and c5e04b0.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• package.json
• packages/bruno-cli/package.json
• packages/bruno-electron/package.json
• packages/bruno-js/package.json
• packages/bruno-requests/package.json
• packages/bruno-tests/package.json