feat: prep for release v2.4.0-beta

[mkurapov]

Changes proposed in this pull request

• Address axios vulnerabilities (CVE-2026-42033, CVE-2026-42035, CVE-2026-42043, CVE-2026-42264)
• Generate docs for updated GraphQL documentation

Context

Fixes ROP-36

Checklist

• Related issues linked using fixes #number
• Tests added/updated
• Make sure that all checks pass
• Bruno collection updated (if necessary)
• Documentation issue created with user-docs label (if necessary)
• OpenAPI specs updated (if necessary)

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec ready!

Name	Link
🔨 Latest commit	cf66390
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69fb3bf6b0bc7a0008868591
😎 Deploy Preview	https://deploy-preview-3919--brilliant-pasca-3e80ec.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 48.93
• Iterations/s: 16.30
• Failed Requests: 0.00% (0 of 2941)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 18 kB/s
     data_sent......................: 2.3 MB 38 kB/s
     http_req_blocked...............: avg=6.71µs   min=2.01µs   med=5.38µs   max=507.01µs p(90)=6.81µs   p(95)=7.39µs  
     http_req_connecting............: avg=381ns    min=0s       med=0s       max=465.37µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=81.15ms  min=8.32ms   med=66.85ms  max=447.41ms p(90)=137.02ms p(95)=164.18ms
       { expected_response:true }...: avg=81.15ms  min=8.32ms   med=66.85ms  max=447.41ms p(90)=137.02ms p(95)=164.18ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2941
     http_req_receiving.............: avg=88.09µs  min=28.72µs  med=77.08µs  max=1.57ms   p(90)=115.81µs p(95)=146.43µs
     http_req_sending...............: avg=35.79µs  min=8.6µs    med=27.85µs  max=2.39ms   p(90)=38.95µs  p(95)=54.82µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=81.03ms  min=8.15ms   med=66.72ms  max=447.34ms p(90)=136.95ms p(95)=164.01ms
     http_reqs......................: 2941   48.928655/s
     iteration_duration.............: avg=245.09ms min=164.25ms med=228.82ms max=980.79ms p(90)=307.07ms p(95)=356.34ms
     iterations.....................: 980    16.304006/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4 

[BlairCurrey]

Looks ok just had some non-blocking questions.

Why are the docs regenerated? If there are content differences I think this means the Spanish ones are out of date - is that accounted for anywhere (task to update?)

Whats the reason for doing the axios override? I realize this override pre-exists the PR and we are just updating it - I guess I'm asking more for my general knowledge. Is there a transitive dependency or something we are trying to control?

[mkurapov]

Why are the docs regenerated? If there are content differences I think this means the Spanish ones are out of date - is that accounted for anywhere (task to update?)

They do not automatically get built from the GraphQL schemas, so I built them manually. I will updating the links for Spanish one in a separate issue.

Whats the reason for doing the axios override?

This is to fix the vulnerabilities listed in the description, making sure that the minimum version across all of the packages in the repo is an updated, non-vulnerable one via overrides

[BlairCurrey]

This is to fix the vulnerabilities listed in the description, making sure that the minimum version across all of the packages in the repo is an updated, non-vulnerable one via overrides

What I'm wondering is why it's an override and not just bumping the individual package versions.

My understanding of overrides was that they were for forcing versions of packages we can't directly control ourselves. And ideally temporarily. But maybe we are intentionally using it to ensure the same version is used across packages? Im not sure that's a good idea. Pnpm has a catalog feature that can handle this and in their docs for it they directly state this would be misusing overrides: https://github.com/pnpm/rfcs/blob/main/text/0001-catalogs.md#comparison-to-overridesresolutions

Using this feature should be considered a hack in most cases, something that is done temporarily while waiting for a bug to be fixed, or to avoid excessive duplication caused by an overly strict meta-dependency specifier.

The original override was "axios@>=0.8.1 <0.28.0": ">=0.28.0". This preserves the option to use pre <0.28.0. If we are mandating everything is >= some version then I dont see the point of the override vs. pinning everything above the vulnerability. Locally it appears that pinning all our packages directly resolves the audit warning (using pnpm audit, not trivy mind you).

Frankly IDK if we even need catalogs. We can just maintain the version directly across pacakges imo. We can still easily upgrade simultaneously with pnpm up -r axios.

[mkurapov]

@BlairCurrey good point - for some reason I disregarded that we have it as a direct dependency, even though we do in a few of the packages.

We should to do both: upgrade/pin the version across the dependencies, and also keep the override because there a few dependencies, mostly dev that have axios as a dependency themselves.

Catalogs might be a great option for us in the rafiki-v2 repo, given the amount of packages we have.

[mkurapov]

Made PR for upgrading and pinning axios version ☝️