Bump handlebars to 4.7.9, @apollo/server to 5.5.0, and
nodemailer to 8.0.4 in the backend. Add narrow pnpm
overrides for path-to-regexp (8.4.0) and dompurify (3.3.3).
Move unplugin-icons to devDependencies in sh-admin to keep
dev-only transitive packages out of the production audit.
Fixes collections with JSON comments failing in the CLI with `SerializationException` while working fine in the app, where comments are stripped before sending requests, but the CLI was sending them as-is, breaking APIs like AWS Cognito that expect valid JSON.
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Nahid Hasan <52489202+nahidhasan94@users.noreply.github.com>
This updates Hoppscotch Desktop (Shell) dependencies to align with
`v2025.11.0` security patch and other dependency chain.
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Add per-domain toggle to disable automatic HTTP redirect following in
the Native and Agent interceptors. When disabled, requests return the
redirect response (status code, headers, body) without following the
Location header.
Previously HTTP redirects were always followed (on browser, can't do
much about that, see
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling) without
option to inspect the redirect response itself. This prevented
developers from accessing redirect metadata needed when testing OAuth
flows (PKCE where intermediate responses contain authorization tokens),
authentication endpoints that return codes in Location headers with 302
status, and debugging API redirect chains. But on the desktop app,
redirects were just never followed, creating the opposite effect.
The browser's fetch API applies atomic HTTP redirect handling per spec,
making it impossible to intercept redirects and inspect their responses.
The Native and Agent interceptors use curl and native HTTP clients
respectively, both supporting redirect control, making this feature
viable for these specific interceptors. (Proxyscotch tbd).
Updates `tauri-plugin-shell` from vulnerable version to `v2.2.1` to
address `CVE-2025-31477` in `open` around scope validation.
Affects both `hoppscotch-agent` and `hoppscotch-desktop`.
Closes FE-1022
This resolves window accumulation during instance switching by
implementing proper window lifecycle management using Tauri's
WebviewWindow APIs.
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
The rebases and updates desktop's `@hoppscotch/plugin-appload`
dependency from branch-based ref to specific commit hash to resolve
Docker build failures.
Branch-based GitHub dependencies require `git` in the build environment.
Our Dockerfile stages didn't install `git`, which caused `pnpm install`
to fail with `spawn git ENOENT`. Using a commit hash allows `pnpm` to
fetch the tarball directly without requiring `git`.
This implements backend path management, backup system, cross-platform utilities, and refactors the `appload` plugin arch to support portable mode deployment.
The changes are mainly establishing foundational infra maintaining current frontend behavior until phase-3+ integration.
- This standardises package versions between desktop, agent, appload, relay
all the native components to resolve version inconsistencies and prepare
for unified bumps in the future.
- Account for recent minor dependency bumps as a follow-up to #5329
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
This fixes file uploads incorrectly showing MIME type as "Other" instead
of their actual content types by expanding the `MediaType` enum relay
to include common audio, video, and image formats.
Basically `MediaType` enum is used for both `ContentType` which would
map to `ContentType` from `hoppscotch-data` (e.g. `multipart/form-data`)
but also to `FormValue` in `interop`
```rust
pub enum FormValue {
...
File {
filename: String,
content_type: MediaType,
data: Bytes,
},
}
```
although the later should be much more pervasive.
This is a follow up on #5244
Closes FE-887
Closes#3810Closes#5223Closes#5233
The issue occurred because the `relay`'s `MediaType` couldn't deserialize
beyond the basic types (text, JSON, XML, etc.), lacked support for
other media file types. The TypeScript layer correctly detected MIME
types (e.g., "audio/x-m4a"), but the deserialization process fell back
to `MediaType::Other`. Main reason for servers performing strict MIME
validation to reject uploads.
