[codex] Pin axios to 1.14.0

[georgestander]

This change removes the older Axios release that was still being pulled into production through transitive dependencies.

The app did not depend on Axios directly, but two packages in the shipped dependency tree, @mendable/firecrawl-js and @tavily/core, were both resolving to axios@1.13.4. With an active Axios security concern in circulation, leaving that version in place would have kept the app exposed through those providers even though Axios was not listed in the top-level dependency list.

The root cause was that the vulnerable version was nested inside third-party packages rather than declared directly by this project, so a normal top-level dependency review would not have caught it. The fix adds a pnpm override that forces Axios to resolve to 1.14.0 everywhere in this repository, then refreshes the lockfile so both transitive consumers move to that version.

I used 1.14.0 intentionally because it is the current npm latest release and the latest GitHub-tagged Axios release, which made it the safest stable target during an active supply-chain concern. I avoided the just-published 1.14.1 until it has had more time to settle.

I verified the result by checking the resolved dependency tree and by running the project's type check. pnpm why axios now shows both transitive consumers using 1.14.0, and pnpm test:types completed successfully.

Changelog

• Pinned Axios to 1.14.0 across transitive dependencies and fixed unrelated unstable React keys so CI can pass.

[github-actions]

Changelog Preview

This PR contributes the following changelog bullets:

• Pinned Axios to 1.14.0 across transitive dependencies and fixed unrelated unstable React keys so CI can pass.

Checked on 2026-03-31T05:29:04.411Z