fix: pin axios to 1.14.0 to prevent upgrade to compromised 1.14.1

[Alejandbel]

axios 1.14.1 and 0.30.4 have been identified as compromised npm packages containing a remote access trojan (RAT). See axios/axios#10604 and https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan for details.

Summary by CodeRabbit

• Chores
  • Pinned axios to a fixed version (1.14.0) to stabilize installs.
  • Bumped package version to 0.44.1.
  • Updated dev/peer dependency constraints for a toolkit dependency.
  • Added a new changelog entry for the 0.44.1 release.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cba7691d-c1ab-4a62-9798-a5840da0ee45

📥 Commits

Reviewing files that changed from the base of the PR and between 445d919 and cab8959.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

✅ Files skipped from review due to trivial changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Added a changelog entry for v0.44.1 and updated package metadata: bumped package version to 0.44.1, tightened @ton/ton constraints, and pinned axios to 1.14.0 (avoiding 1.14.1).

Changes

Cohort / File(s)	Summary
Dependency & Release CHANGELOG.md, package.json	Added ## [0.44.1] - 2026-03-31 changelog entry; bumped package version to 0.44.1; tightened @ton/ton dev/peer constraints and changed axios from ^1.7.7 to pinned 1.14.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 I nudged a version, neat and small,

A pinned axios to guard the hall.
A changelog hop, a tidy line,
Release updated — carrot time! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description explains the security issue but is missing required template sections: issue reference, checklist items (CHANGELOG.md update, README documentation, tests, linting).	Add the missing template sections: reference the issue number, confirm CHANGELOG.md was updated, and verify checklist items (tests, linting) were completed.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning axios to 1.14.0 to prevent upgrade to a compromised version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/axios

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 8-10: Update the changelog entry under "## [0.45.0] - 2026-03-31"
to replace the terse "- Pin axios version" with a clear security-focused entry
that specifies the exact version pinned (use the actual pinned version string
found in the codebase, e.g., "axios@1.14.0" or correct to "1.13.5" if that is
the true change), explains the security reason (vulnerable/compromised versions
contained a RAT/backdoor), and includes a reference to the security advisory or
CVE (add URL or advisory ID) so users have context and can act.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1af62cd5-67de-401b-b9cf-8e2b160c0c3f

📥 Commits

Reviewing files that changed from the base of the PR and between 6cba375 and 6580ad5.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json