fix: replace direct axios usage with native fetch#615
Merged
ECWireless merged 6 commits intomainfrom Apr 1, 2026
Merged
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
3 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to harden the project’s supply chain by removing direct axios usage in the app’s SWR fetcher, adding development isolation via a VS Code dev container, and introducing install-time guardrails via .npmrc.
Changes:
- Replace the axios-based SWR
fetcherwith a nativefetchimplementation (10s timeout + API error formatting). - Add a VS Code Dev Container configuration to run development inside a container.
- Add
.npmrcrestrictions (frozen-lockfile,ignore-scripts) and ignore.pnpm-storein tooling.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents the dev container workflow and the new .npmrc guardrails. |
| package.json | Removes direct axios and wait-on dependencies; updates app import to new fetcher. |
| pnpm-lock.yaml | Updates lockfile to reflect removed direct dependencies and transitive cleanup. |
| pages/_app.tsx | Switches SWR config to import fetcher from @lib/fetcher. |
| lib/fetcher.ts | Introduces the new fetch-based SWR fetcher with timeout and error handling. |
| lib/axios.ts | Removes the previous axios client + fetcher implementation. |
| .npmrc | Enforces frozen lockfile installs and disables lifecycle scripts. |
| .prettierignore | Ignores .pnpm-store from formatting. |
| .gitignore | Ignores .pnpm-store from git. |
| .devcontainer/devcontainer.json | Adds the dev container definition and post-create install command. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rickstaa
changed the title
4 tasks
prettier was used in format scripts and pre-commit hooks but was never declared as a dependency — it only worked as a ghost dependency via transitive hoisting. This breaks on pnpm 10+ which is stricter about hoisting. Also ignore .pnpm-store in .gitignore and .prettierignore. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Isolate development in a container to limit blast radius of compromised packages, and enforce frozen-lockfile + ignore-scripts via .npmrc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pnpm 10+ blocks dependency install scripts (postinstall, preinstall) by default, replacing the need for ignore-scripts in .npmrc. This protects against malicious packages without breaking the project's own lifecycle hooks (e.g. prepare: husky). See: https://pnpm.io/supply-chain-security Changes: - Remove .npmrc (ignore-scripts no longer needed, frozen-lockfile is enforced by CI via --frozen-lockfile flag) - Bump packageManager to pnpm@10.33.0 - Update CI workflows to use pnpm 10.33.0 - Update README to document pnpm 10 approach and link to docs - Update devcontainer image tag Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rickstaa
force-pushed
the
feat/dev-container-supply-chain
branch
from
7830d01 to
e3b563d
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rface Remove axios and wait-on dependencies, replacing the axios-based fetcher with a native fetch implementation that preserves the same error handling and timeout behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address Copilot review: move clearTimeout after body read so the AbortController covers slow-streaming responses, and enrich non-2xx errors with statusText. Co-Authored-By: copilot-pull-request-reviewer[bot] <noreply@github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rickstaa
force-pushed
the
fix/remove-axios-supply-chain
branch
from
8fe4be4 to
d0783cb
Compare
2 tasks
ECWireless
approved these changes
Apr 1, 2026
github-project-automation
Bot
moved this from Triage
to Ready to Merge
in Engineering Roadmap
github-project-automation
Bot
moved this from Ready to Merge
to Done
in Engineering Roadmap
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fetch— removes directaxiosusage (andwait-on) from the project, reducing supply chain attack surface while preserving identical error-handling and 10s timeout behavior@coinbase/cdp-sdk)Test plan
pnpm build)/api/*routes surface correct error messages🤖 Generated with Claude Code