chore: upgrade axios and openai

[endigma]

Summary by CodeRabbit

• Chores
  • Upgraded third-party dependencies across CLI, Control Plane, Playground, and Studio to newer stable versions to improve security, compatibility, and performance.
  • Changes affect install-time dependency resolution only (network/client libraries).
  • No changes to user-facing behavior, configuration, or public APIs.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Dependency version updates in multiple package.json files: axios updated to ^1.11.0 across cli, controlplane, playground, and studio; controlplane also updates openai to ^4.104.0; cli updates posthog-node to ^4.18.0. No code or API changes.

Changes

Cohort / File(s)	Summary of changes
Axios version bump cli/package.json, controlplane/package.json, playground/package.json, studio/package.json	Bump axios from ^1.8.4 to ^1.11.0
OpenAI version bump controlplane/package.json	Bump openai from ^4.54.0 to ^4.104.0
posthog-node version bump cli/package.json	Bump posthog-node from ^4.17.1 to ^4.18.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7b5ef02 and 0c8aa5f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• cli/package.json (2 hunks)
• controlplane/package.json (2 hunks)
• playground/package.json (1 hunks)
• studio/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• studio/package.json
• playground/package.json
• controlplane/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test

🔇 Additional comments (1)

cli/package.json (1)

51-51: Verify Axios v1.11.0 Upgrade

The CLI’s package.json now pins axios at ^1.11.0. Before merging, please scan for and address these key areas:

• CancelToken → AbortController
• Search for any axios.CancelToken imports/usages and replace with the standard AbortController/signal API.
• Example migration:
```js
// old
const source = axios.CancelToken.source();
axios.get(url, { cancelToken: source.token });
source.cancel();

// new
const controller = new AbortController();
axios.get(url, { signal: controller.signal });
controller.abort();
```  

• Proxy/Agent behavior
• Verify any httpAgent/httpsAgent or undici proxy logic still works under v1.11.0.
• Check calls to CreateClient({ proxyUrl }) / new HttpsProxyAgent(...) / ProxyAgent in cli/src.

• Interceptors & axios-retry
• Run your existing request/response interceptors and axios-retry flows against v1.11 to confirm nothing was broken.

• Node.js version support
• Axios v1.11.0 still supports Node 14+. Ensure your runtime meets this requirement.

cli/package.json

- "axios": "^1.10.0",
+ "axios": "^1.11.0",

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jesse/eng-7685-followup

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-3282c6f733d3b0a148263be39f1c24d21ce6cfa6-nonroot

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

cli/package.json (1)

1-108: Add a patch Changeset for the CLI (wgc)

No .changeset entry references wgc. Since the CLI’s runtime dependencies changed, downstream users need a patch release. If you’re using Changesets, please add a patch entry under .changeset/. For example:

---
"wgc": patch
---

Update CLI runtime dependencies

🧹 Nitpick comments (1)

controlplane/package.json (1)

43-94: Consider centralizing dependency versions via pnpm.overrides for consistency.

Since multiple workspaces consume axios and (some) openai, using a root-level pnpm.overrides can enforce a single version across the monorepo and prevent drift.

Happy to propose an overrides block if you confirm the repo uses a root package.json/pnpm-workspace.yaml.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 36083a7 and 7b5ef02.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• cli/package.json (2 hunks)
• controlplane/package.json (2 hunks)
• playground/package.json (1 hunks)
• studio/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan
• GitHub Check: build_push_image
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./events)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (5)

studio/package.json (1)

73-73: No deprecated Axios usage detected in studio/

All grep scans under studio/ returned no occurrences of:

• CancelToken, axios.isCancel, or axios.Cancel
• Custom adapters via axios.defaults.adapter or inline in axios.create
• Interceptors via axios.interceptors

You can safely bump Axios to ^1.11.0 in the Next.js app.

controlplane/package.json (2)

59-59: Axios bump looks good—no action needed.

• axios-retry ^4.5.0 lists “axios: 0.x || 1.x” as a peer dependency and has been resolved against axios 1.11.0 in pnpm-lock.yaml.
• None of our axios.create({…}) calls pass httpAgent, httpsAgent, or proxy options, so the default Node adapter (picking up HTTP(S)_PROXY env vars if set) remains in use.

---

80-80: OpenAI v4 import and usage confirmed
No legacy v3 patterns detected and your client instantiation/chat.completions.create calls align with the v4 SDK. Great to merge!

cli/package.json (1)

51-51: Validate Axios 1.11.0 Integration in CLI

The CLI’s package.json now pins

  "axios": "^1.11.0",

Please manually verify that bump:

• Works with the Bun build (npm run build:bun)—confirm axios’s CJS/ESM output loads correctly under Bun’s --compile
• Retains existing proxy/agent configurations and TLS behavior in all network flows
• Doesn’t rely on deprecated cancellation APIs (CancelToken, isCancel, axios.Cancel)

Steps you can take:

• Grep the cli/ directory for all axios imports/calls
• Ensure no legacy cancellation patterns remain
• Run smoke tests of each CLI command under both Node (tsc build) and Bun

playground/package.json (1)

51-51: No deprecated Axios APIs detected — manual build verification still required

A repo-wide search for CancelToken, axios.isCancel, and axios.Cancel returned no matches, indicating no direct usage of those deprecated Axios APIs.

Please ensure the following before publishing the patch release for Playground:

• Manually build the browser bundle with Vite and verify that Axios is correctly tree-shaken and included.
• Confirm source maps remain valid and accurately map back to the original code.
• Run a quick sanity check in browsers to validate public API stability.

Once verified, publish a patch release since consumers will pick up the new Axios runtime dependency.

[StarpTech]

LGTM