Bump handlebars to 4.7.9, @apollo/server to 5.5.0, and
nodemailer to 8.0.4 in the backend. Add narrow pnpm
overrides for path-to-regexp (8.4.0) and dompurify (3.3.3).
Move unplugin-icons to devDependencies in sh-admin to keep
dev-only transitive packages out of the production audit.
Fixes collections with JSON comments failing in the CLI with `SerializationException` while working fine in the app, where comments are stripped before sending requests, but the CLI was sending them as-is, breaking APIs like AWS Cognito that expect valid JSON.
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Nahid Hasan <52489202+nahidhasan94@users.noreply.github.com>
This updates Hoppscotch Desktop (Shell) dependencies to align with
`v2025.11.0` security patch and other dependency chain.
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Add per-domain toggle to disable automatic HTTP redirect following in
the Native and Agent interceptors. When disabled, requests return the
redirect response (status code, headers, body) without following the
Location header.
Previously HTTP redirects were always followed (on browser, can't do
much about that, see
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling) without
option to inspect the redirect response itself. This prevented
developers from accessing redirect metadata needed when testing OAuth
flows (PKCE where intermediate responses contain authorization tokens),
authentication endpoints that return codes in Location headers with 302
status, and debugging API redirect chains. But on the desktop app,
redirects were just never followed, creating the opposite effect.
The browser's fetch API applies atomic HTTP redirect handling per spec,
making it impossible to intercept redirects and inspect their responses.
The Native and Agent interceptors use curl and native HTTP clients
respectively, both supporting redirect control, making this feature
viable for these specific interceptors. (Proxyscotch tbd).
Updates `tauri-plugin-shell` from vulnerable version to `v2.2.1` to
address `CVE-2025-31477` in `open` around scope validation.
Affects both `hoppscotch-agent` and `hoppscotch-desktop`.
Closes FE-1022
This resolves window accumulation during instance switching by
implementing proper window lifecycle management using Tauri's
WebviewWindow APIs.
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
The rebases and updates desktop's `@hoppscotch/plugin-appload`
dependency from branch-based ref to specific commit hash to resolve
Docker build failures.
Branch-based GitHub dependencies require `git` in the build environment.
Our Dockerfile stages didn't install `git`, which caused `pnpm install`
to fail with `spawn git ENOENT`. Using a commit hash allows `pnpm` to
fetch the tarball directly without requiring `git`.
This implements backend path management, backup system, cross-platform utilities, and refactors the `appload` plugin arch to support portable mode deployment.
The changes are mainly establishing foundational infra maintaining current frontend behavior until phase-3+ integration.
- This standardises package versions between desktop, agent, appload, relay
all the native components to resolve version inconsistencies and prepare
for unified bumps in the future.
- Account for recent minor dependency bumps as a follow-up to #5329
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
