chore: security patch for the dependency chain (#5400)

Bump non-major dependencies

---------

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>

package.json

@@ -27,11 +27,11 @@
     "@commitlint/cli": "19.8.1",
     "@commitlint/config-conventional": "19.8.1",
     "@hoppscotch/ui": "0.2.5",
-    "@types/node": "24.3.0",
+    "@types/node": "24.5.2",
     "cross-env": "10.0.0",
     "http-server": "14.1.1",
     "husky": "9.1.7",
-    "lint-staged": "16.1.5"
+    "lint-staged": "16.2.0"
   },
   "pnpm": {
     "overrides": {
@@ -41,7 +41,9 @@
       "execa@0.10.0": "2.0.0",
       "sha.js@2.4.11": "2.4.12",
       "subscriptions-transport-ws>ws": "7.5.10",
-      "vue": "3.5.20"
+      "vue": "3.5.20",
+      "form-data": "4.0.4",
+      "ws": "8.17.1"
     },
     "onlyBuiltDependencies": [
       "@apollo/protobufjs",

packages/hoppscotch-agent/package.json

@@ -14,7 +14,7 @@
     "@tauri-apps/api": "2.1.1",
     "@tauri-apps/plugin-shell": "^2.0.0",
     "@vueuse/core": "13.7.0",
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "fp-ts": "2.16.11",
     "lodash-es": "4.17.21",
     "vue": "3.5.20"
@@ -31,7 +31,7 @@
     "typescript": "5.9.2",
     "unplugin-icons": "22.2.0",
     "unplugin-vue-components": "29.0.0",
-    "vite": "6.3.5",
+    "vite": "6.3.6",
     "vue-tsc": "2.2.0"
   }
 }

packages/hoppscotch-backend/package.json

@@ -40,11 +40,11 @@
     "@nestjs/jwt": "11.0.0",
     "@nestjs/passport": "11.0.0",
     "@nestjs/platform-express": "11.1.6",
-    "@nestjs/schedule": "6.0.0",
+    "@nestjs/schedule": "6.0.1",
     "@nestjs/swagger": "11.2.0",
     "@nestjs/terminus": "11.0.0",
     "@nestjs/throttler": "6.4.0",
-    "@prisma/client": "6.14.0",
+    "@prisma/client": "6.16.2",
     "argon2": "0.44.0",
     "bcrypt": "6.0.0",
     "class-transformer": "0.5.1",
@@ -61,22 +61,22 @@
     "handlebars": "4.7.8",
     "io-ts": "2.2.22",
     "morgan": "1.10.1",
-    "nodemailer": "7.0.5",
+    "nodemailer": "7.0.6",
     "passport": "0.7.0",
     "passport-github2": "0.1.12",
     "passport-google-oauth20": "2.0.0",
     "passport-jwt": "4.0.1",
     "passport-local": "1.0.0",
     "passport-microsoft": "2.1.0",
-    "posthog-node": "5.7.0",
-    "prisma": "6.14.0",
+    "posthog-node": "5.8.8",
+    "prisma": "6.16.2",
     "reflect-metadata": "0.2.2",
     "rimraf": "6.0.1",
     "rxjs": "7.8.2"
   },
   "devDependencies": {
     "@eslint/eslintrc": "3.3.1",
-    "@eslint/js": "9.34.0",
+    "@eslint/js": "9.36.0",
     "@nestjs/cli": "11.0.10",
     "@nestjs/schematics": "11.0.7",
     "@nestjs/testing": "11.1.6",
@@ -85,26 +85,26 @@
     "@types/cookie-parser": "1.4.9",
     "@types/express": "5.0.3",
     "@types/jest": "30.0.0",
-    "@types/node": "24.3.0",
+    "@types/node": "24.5.2",
     "@types/nodemailer": "7.0.1",
     "@types/passport-github2": "1.2.9",
     "@types/passport-google-oauth20": "2.0.16",
     "@types/passport-jwt": "4.0.1",
     "@types/passport-microsoft": "2.1.0",
     "@types/supertest": "6.0.3",
-    "@typescript-eslint/eslint-plugin": "8.40.0",
-    "@typescript-eslint/parser": "8.40.0",
+    "@typescript-eslint/eslint-plugin": "8.44.1",
+    "@typescript-eslint/parser": "8.44.1",
     "cross-env": "10.0.0",
-    "eslint": "9.34.0",
+    "eslint": "9.36.0",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-prettier": "5.5.4",
-    "globals": "16.3.0",
-    "jest": "30.0.5",
+    "globals": "16.4.0",
+    "jest": "30.1.3",
     "jest-mock-extended": "4.0.0",
     "prettier": "3.6.2",
     "source-map-support": "0.5.21",
     "supertest": "7.1.4",
-    "ts-jest": "29.4.1",
+    "ts-jest": "29.4.4",
     "ts-loader": "9.5.4",
     "ts-node": "10.9.2",
     "tsconfig-paths": "4.2.0",

packages/hoppscotch-cli/package.json

@@ -42,7 +42,7 @@
   "private": false,
   "dependencies": {
     "aws4fetch": "1.0.20",
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "chalk": "5.6.0",
     "commander": "14.0.0",
     "isolated-vm": "5.0.4",

packages/hoppscotch-common/package.json

@@ -58,7 +58,7 @@
     "@vueuse/core": "13.7.0",
     "acorn-walk": "8.3.4",
     "aws4fetch": "1.0.20",
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "buffer": "6.0.3",
     "cookie-es": "2.0.0",
     "dioc": "3.0.2",
@@ -170,7 +170,7 @@
     "unplugin-fonts": "1.4.0",
     "unplugin-icons": "22.2.0",
     "unplugin-vue-components": "29.0.0",
-    "vite": "6.3.5",
+    "vite": "6.3.6",
     "vite-plugin-checker": "0.10.3",
     "vite-plugin-fonts": "0.7.0",
     "vite-plugin-html-config": "2.0.2",

packages/hoppscotch-data/package.json

@@ -38,7 +38,7 @@
     "@types/lodash": "4.17.20",
     "@types/uuid": "10.0.0",
     "typescript": "5.9.2",
-    "vite": "6.3.5"
+    "vite": "6.3.6"
   },
   "dependencies": {
     "fp-ts": "2.16.11",

packages/hoppscotch-js-sandbox/package.json

@@ -72,7 +72,7 @@
     "io-ts": "2.2.22",
     "prettier": "3.6.2",
     "typescript": "5.9.2",
-    "vite": "6.3.5",
+    "vite": "6.3.6",
     "vitest": "3.2.4"
   },
   "peerDependencies": {

packages/hoppscotch-kernel/package.json

@@ -48,7 +48,7 @@
     }
   },
   "dependencies": {
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "fp-ts": "2.16.11",
     "aws4fetch": "1.0.20",
     "zod": "3.25.32",

packages/hoppscotch-selfhost-web/package.json

@@ -36,7 +36,7 @@
     "@tauri-apps/plugin-fs": "2.0.2",
     "@tauri-apps/plugin-shell": "2.0.1",
     "@vueuse/core": "13.7.0",
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "buffer": "6.0.3",
     "dioc": "3.0.2",
     "fp-ts": "2.16.11",

packages/hoppscotch-sh-admin/package.json

@@ -24,7 +24,7 @@
     "@urql/exchange-auth": "3.0.0",
     "@urql/vue": "2.0.0",
     "@vueuse/core": "13.7.0",
-    "axios": "1.11.0",
+    "axios": "1.12.2",
     "cors": "2.8.5",
     "date-fns": "4.1.0",
     "fp-ts": "2.16.11",

prod.Dockerfile

@@ -3,18 +3,18 @@
 FROM alpine:3.22.1 AS caddy_builder
 RUN apk add --no-cache curl git && \
   mkdir -p /tmp/caddy-build && \
-  curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.0/caddy_2.10.0_src.tar.gz
+  curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_src.tar.gz
 
 # Checksum verification of caddy source
-RUN expected="62ba008d9e9fd354e8b28be11de59c6a213f9153f2e9de451417c0b4eb13d9f3" && \
+RUN expected="a9efa00c161922dd24650fd0bee2f4f8bb2fb69ff3e63dcc44f0694da64bb0cf" && \
   actual=$(sha256sum /tmp/caddy-build/src.tar.gz | cut -d' ' -f1) && \
   [ "$actual" = "$expected" ] && \
   echo "✅ Caddy Source Checksum OK" || \
   (echo "❌ Caddy Source Checksum failed!" && exit 1)
 
-# Install Go 1.25.0 from GitHub releases to fix CVE-2025-47907
+# Install Go 1.25.1 from GitHub releases to fix CVE-2025-47907
 ARG TARGETARCH
-ENV GOLANG_VERSION=1.25.0
+ENV GOLANG_VERSION=1.25.1
 # Download and install Go from the official tarball
 RUN case "${TARGETARCH}" in amd64) GOARCH=amd64 ;; arm64) GOARCH=arm64 ;; *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; esac && \
   curl -fsSL "https://go.dev/dl/go${GOLANG_VERSION}.linux-${GOARCH}.tar.gz" -o go.tar.gz && \
@@ -27,10 +27,6 @@ ENV PATH="/usr/local/go/bin:${PATH}" \
 
 WORKDIR /tmp/caddy-build
 RUN tar xvf /tmp/caddy-build/src.tar.gz && \
-  # Patch to resolve GHSA-vrw8-fxc6-2r93 on chi
-  go get github.com/go-chi/chi/v5@v5.2.2 && \
-  # Patch to resolve GHSA-2x5j-vhc8-9cwm on circl
-  go get github.com/cloudflare/circl@v1.6.1 && \
   # Clean up any existing vendor directory and regenerate with updated deps
   rm -rf vendor && \
   go mod tidy && \
@@ -47,8 +43,8 @@ FROM alpine:3.22.1 AS node_base
 RUN apk add --no-cache nodejs npm curl tini bash && \
   # apk provides an outdated npm; immediately upgrade to a pinned version to avoid vulnerabilities
   # TODO: Find a better method which is resistant to supply chain attacks
-  npm install -g npm@11.5.2 && \
-  npm install -g pnpm@10.15.0 @import-meta-env/cli
+  npm install -g npm@11.6.0 && \
+  npm install -g pnpm@10.17.1 @import-meta-env/cli