fix(deps): override axios to >=1.13.5 to patch DoS vulnerability

[shrugs]

Adds pnpm override for axios@<=1.13.4 to resolve GHSA-43fc-jf86-j433 (Denial of Service via proto key in mergeConfig), affecting the transitive path: docs/ensnode.io > astro-icon > @iconify/tools > axios.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4678dc4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Building	Preview, Comment	Feb 10, 2026 2:17am
ensnode.io	Building	Preview, Comment	Feb 10, 2026 2:17am
ensrainbow.io	Ready	Preview, Comment	Feb 10, 2026 2:17am

[coderabbitai]

Warning

Rate limit exceeded

@shrugs has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 12 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR mitigates GHSA-43fc-jf86-j433 by adding a pnpm.overrides rule that forces axios@<=1.13.4 to resolve to ^1.13.5. The corresponding pnpm-lock.yaml updates pin axios to 1.13.5 (and bumps form-data as an axios dependency), ensuring the vulnerable transitive path from docs/ensnode.io → astro-icon → @iconify/tools → axios resolves to the patched version.

I didn’t find any issues that need changes before merge based on the diff; the override and lockfile updates appear consistent with each other.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk.
• Change is narrowly scoped to dependency resolution: it adds a single pnpm override and updates the lockfile accordingly. The diff shows consistent override entries in both package.json and pnpm-lock.yaml and a corresponding lock bump to axios@1.13.5, with no code-path changes.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Adds a pnpm override to force axios@<=1.13.4 to resolve to ^1.13.5; change is syntactically valid and consistent with existing override patterns.
pnpm-lock.yaml	Adds the axios override entry and updates the lockfile resolutions/snapshots to axios@1.13.5 (and form-data@4.0.5) matching the override; no inconsistencies spotted in the diff.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant PNPM as pnpm installer
  participant Reg as Package Registry
  participant Docs as docs/ensnode.io (Astro)
  participant Icon as astro-icon/@iconify/tools

  Dev->>PNPM: pnpm install
  PNPM->>PNPM: Read package.json overrides
  PNPM->>PNPM: Apply override axios@<=1.13.4 -> ^1.13.5
  PNPM->>Reg: Fetch axios@1.13.5 tarball
  Reg-->>PNPM: axios@1.13.5
  PNPM->>Reg: Fetch form-data@4.0.5 (axios dep)
  Reg-->>PNPM: form-data@4.0.5
  PNPM->>Docs: Resolve docs deps
  Docs->>Icon: astro-icon -> @iconify/tools
  Icon->>PNPM: Requires axios (transitive)
  PNPM-->>Icon: Provide axios@1.13.5 per override
  PNPM-->>Dev: Lockfile records axios@1.13.5

Loading

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[Copilot]

Pull request overview

Adds a workspace-level pnpm override to ensure transitive axios usage is bumped to a non-vulnerable version, addressing GHSA-43fc-jf86-j433 in the docs/ensnode.io > astro-icon > @iconify/tools > axios dependency chain.

Changes:

• Add a pnpm override for axios@<=1.13.4 to resolve to ^1.13.5 in package.json.
• Update pnpm-lock.yaml to reflect axios@1.13.5 (and its form-data dependency bump).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Adds a pnpm override to force vulnerable axios ranges to resolve to a patched version.
pnpm-lock.yaml	Lockfile updates reflecting the override taking effect (axios + related dependency resolution changes).

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR title/description says overriding axios to ">=1.13.5", but the override value is "^1.13.5" (allows any 1.x). If the intent is to keep this change narrowly scoped to the security patch, consider using an explicit minimum (">=1.13.5") or pinning "1.13.5" so fresh installs don’t silently float to newer minors/patches beyond this PR’s stated goal.