* updated plan
* feat: lift network.ts fs/path use behind window.main.timeline IPC bridge
Removes `node:fs` and `node:path` from the renderer-reachable
`src/network/network.ts`. Three timeline-path constructions and two
`appendFile` calls are replaced with narrow `window.main.timeline.getPath`
(sync IPC) and `window.main.timeline.appendToFile` (async IPC) helpers
that live in main, where Node builtins belong.
Path validation in `appendToTimeline` mirrors `writeResponseBodyToFile`:
only paths inside the `responses/` directory ending in `.timeline` are
accepted, preventing a compromised renderer from writing arbitrary files.
Updates `config/renderer-node-import-baseline.json` to remove the two
`src/network/network.ts` entries — the baseline shrinks as intended.
Part of the nodeIntegration: false migration (PR B).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: address Aikido path-traversal feedback and mock window.main in network tests
- `getTimelinePath`: use `path.resolve` + `path.relative` check instead of
`path.join` to prevent path-traversal attacks (Aikido medium severity finding)
- `network.test.ts`: add `vi.stubGlobal('window', ...)` mock for
`window.main.timeline` so tests don't throw "window is not defined" now
that `defaultSendActionRuntime` calls `window.main.timeline.appendToFile`
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: suppress echoServer stdout in playwright config
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: update insomnia-inso logger for consola v3 compatibility
FancyReporter and BasicReporter were removed in consola v3; LogLevel became
a type-only export and the runtime enum is now LogLevels. Replace with
createConsola + a local BasicReporter shim, and import LogLevels in cli.ts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: address timeline IPC review concerns
- Convert timeline.getPath from sendSync to invoke (async) to avoid
blocking the renderer thread; path construction has no I/O
- Extract getResponsesDir() shared helper so both getTimelinePath and
appendToTimeline read the same source of truth, eliminating env-drift
between the two calls
- Guard mkdir with a Set so the responses directory is only created once
per process rather than on every appendFile call
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: upgrade consola to v3 and fix type/import issues in insomnia-inso
- Bump consola from ^2.15.3 to ^3.4.2 to match logger.ts which already used v3 API (createConsola)
- Fix logType → LogType (renamed in v3)
- Remove fancy option (removed in v3 ConsolaOptions)
- Use ConsolaInstance instead of Consola in result-report.ts so .log() resolves correctly
- Fix import sort in cli.ts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: restore Node.js-safe fallbacks in network.ts for inso CLI
The timeline IPC bridge introduced window.main.timeline calls without
guarding against the inso CLI context where window is not defined.
The electron shim (aliased in the inso bundle) provides app.getPath
as a fallback, matching the pre-bridge behaviour.
- getTimelinePath: check typeof window before using IPC; fall back to
the electron shim path (os.tmpdir()/insomnia-send-request/responses)
- defaultSendActionRuntime.appendTimeline: fall back to fs.promises.appendFile
- tryToExecutePreRequestScript catch block: skip IPC appendToFile in
Node.js context
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: sort node: imports before third-party and replace if/else with ternary in network.ts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: replace static fs/path imports with inline require() to pass renderer baseline check
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: replace process.type branching in network.ts with build-time adapter modules
Eliminates all runtime process.type and typeof window checks by introducing
network-adapter.renderer.ts and network-adapter.node.ts. Vite and Vitest resolve
the import to the renderer adapter; inso esbuild resolves to the node adapter.
No branching code remains in network.ts itself.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: restore object alias format in vite.config.ts to fix rollup build
Array-form alias with find:'~' was not matching prefix imports like
~/common/insomnia-fetch in the react-router production build. Object
form behaves correctly in Vite 7.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: resolve merge conflicts in logger.ts and cli.ts, restore AGENTS.md indented tree
- logger.ts: keep LogType (consola v3 casing), drop duplicate conflict markers
- cli.ts: remove stashed duplicate LogLevels import from conflict block
- AGENTS.md: restore indented hierarchy in Repository Structure and Data Model sections
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* remove cx
* fix: add path traversal guard to getTimelinePath in node adapter
Mirrors the same defence-in-depth check already present in the IPC handler.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix tests which use network from main
* flake
* refactor: replace bundler aliases with process.type runtime detection in network-adapter
Instead of three separate bundler aliases (Vite, esbuild main, esbuild inso),
network-adapter.ts now selects the correct adapter at runtime using
process.type === 'renderer'.
- Vite prod: process.type is already inlined as 'renderer' via define, so
Rollup tree-shakes the node branch
- esbuild main: define process.type='browser' so esbuild tree-shakes renderer branch
- esbuild inso: define process.type=undefined so esbuild tree-shakes renderer branch
- Vitest (insomnia): existing renderer alias kept for test environment
- Vitest (inso): add renderer alias to match pre-existing test behaviour and
avoid loading native node-libcurl module in tests
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: restore vite alias for network-adapter to fix server bundle build
The react-router build produces both client and server bundles. Without
the alias, the server bundle encountered a runtime require() for
'./network-adapter.renderer' that couldn't resolve (Vite inlines
process.type='renderer' via define for the server build too, so Rollup
tree-shakes to the renderer branch, but the module gets externalized in
the server bundle rather than inlined, leaving a broken runtime require).
Restoring the alias ensures both builds inline network-adapter.renderer
directly, which is safe because the module only defines functions —
window.main is never called at module init time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feedback
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Git server for smoke test
* Try to solve flaky test
* feat: remove unused Git hook samples and add Credentials tab functionality
- Deleted various sample Git hook scripts from the git-server fixture, including post-update, pre-applypatch, pre-commit, pre-merge-commit, pre-push, pre-rebase, pre-receive, prepare-commit-msg, push-to-checkout, sendemail-validate, and update hooks.
- Introduced a new PreferencesCredentialsTab class to manage Git credentials within the Insomnia Preferences.
- Updated the PreferencesPage to include the new Credentials tab for Git credentials management.
- Enhanced the ProjectPage with a method to create a Git Sync project, including branch creation and switching.
- Added comprehensive tests for Git Sync functionality, including creating branches, committing changes, and merging branches.
- Updated UI components to support new features, including data-testid attributes for better testability.
Co-authored-by: Copilot <copilot@github.com>
* feat: update path import and add Git sync tests
* revert package.json
* Update package.json
* feat: add new dependencies for Git HTTP mock server and related utilities
* refactor: remove commented-out code in addAccessTokenGitCredential function
* fix: update export tests to use toHaveLength for file count assertions
---------
Co-authored-by: Copilot <copilot@github.com>
* Use json-bigint for parsing JSON in the response template tag [#8988]
Large numbers can lose precision when parsed using JSON.parse.
* Add unit tests to verify behavior of response template tag when handling large numbers [#8988]
* Add additional tests to cover floating point numbers
* Add inline documentation explaining usage of json-bigint + storeAsString
* Remove bespoke type definition for json-bigint; install existing one
* Add support for configuring custom OpenAI-compatible LLM endpoints via URL.
* Includes new URL backend component, backend service updates, unit tests, and
* UI consistency improvements across all LLM configuration components.
* feat: form component
* feat: use twMerge to support class overide
* Spike: Add markdown format doc support for base-components (#9368)
* initial check-in
* add things
* update select.mdx
* use react live things
* add package-json
* Revert "add package-json"
This reverts commit c57abf6178f39e631ec7fe6634cb4e6afd950fdb.
* update comment
* update docs
* type fix
* tailwind v4 upgrade
* upgrade tailwind v4 in docusaurus
* feat: add more components (#9426)
* update
* update
---------
Co-authored-by: Kent Wang <kent.wang@konghq.com>
