fix: pin axios to 1.13.5 and resolve npm audit vulnerabilities

[spillai]

Summary

Pins axios from ^1.12.2 to exact 1.13.5 in package.json to prevent npm from resolving to the compromised axios@1.14.1, which pulls in the malicious plain-crypto-js@4.2.1 package.

Additionally runs npm audit fix to resolve 4 pre-existing vulnerabilities in the lock file:

• handlebars 4.7.8 → 4.7.9 (critical — JS injection via AST type confusion)
• picomatch 2.3.1 → 2.3.2 / 4.0.3 → 4.0.4 (high — method injection, ReDoS)
• tar 7.5.9 → 7.5.13 (high — symlink/hardlink path traversal)
• brace-expansion 2.0.2 → 2.0.3 / 1.1.12 → 1.1.13 (moderate — DoS via zero-step sequences)

Reference: https://x.com/feross/status/2038807290422370479

Review & Testing Checklist for Human

• Verify that axios@1.13.5 is a legitimate, safe release (it is listed on npm and was the version already resolved in the lock file)
• Since this is a published SDK (vlmrun on npm), the exact pin means consumers will also install exactly axios@1.13.5 — confirm this is acceptable as a temporary mitigation
• Confirm tar 7.5.9 → 7.5.13 (a non-dev dependency) does not introduce breaking changes — check that build and tests pass
• Plan to restore the caret range (e.g. ^1.13.5 or newer) once the axios maintainers publish a verified clean release and 1.14.1 is confirmed removed

Recommended test plan: run npm ci && npm run build && npm test locally to verify nothing breaks with the updated lock file.

Notes

• The package-lock.json version field change from 1.0.12 to 1.1.0 is a lock file sync artifact — package.json was already at 1.1.0 on main; this just brings the lock file in line.
• The only package.json change is the axios pin. All audit-fix updates are lock file only (except tar, which is a transitive runtime dependency).
• Build and all 260 unit tests pass locally after these changes.

Link to Devin session: https://app.devin.ai/sessions/5311f4a7a9384c69846d964d11a53f6c
Requested by: @spillai

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[Mirajul-Mohin]

@claude fix the CI issue

[gemini-code-assist]

Code Review

This pull request updates the project version to 1.1.0 and pins the axios dependency to version 1.13.5. Feedback suggests updating the yarn.lock file to maintain consistency with the project's specified package manager and recommends a further version bump to ensure the security fix is correctly distributed to users.

[gemini-code-assist]

The project's package.json specifies yarn as the package manager (line 13), but this pull request only updates the npm package-lock.json. To ensure consistency across different package managers and protect developers or CI environments using Yarn, please also update and include the yarn.lock file in this PR. Additionally, consider if package-lock.json should be removed if Yarn is the primary tool for the project.

[gemini-code-assist]

Since this pull request mitigates a security vulnerability by pinning a dependency, it is recommended to bump the SDK's version (e.g., to 1.1.1) rather than just syncing it to 1.1.0. If 1.1.0 has already been published or is the current version on main, a new version is required to ensure that the fix is distributed to all users and that the published package on npm contains the updated package.json constraints.