fix: replace direct axios usage with native fetch (#615)

* fix: add prettier as explicit devDependency

prettier was used in format scripts and pre-commit hooks but was never
declared as a dependency — it only worked as a ghost dependency via
transitive hoisting. This breaks on pnpm 10+ which is stricter about
hoisting.

Also ignore .pnpm-store in .gitignore and .prettierignore.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add dev container and .npmrc for supply chain security

Isolate development in a container to limit blast radius of compromised
packages, and enforce frozen-lockfile + ignore-scripts via .npmrc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: upgrade to pnpm 10 for built-in supply chain security

pnpm 10+ blocks dependency install scripts (postinstall, preinstall) by
default, replacing the need for ignore-scripts in .npmrc. This protects
against malicious packages without breaking the project's own lifecycle
hooks (e.g. prepare: husky).

See: https://pnpm.io/supply-chain-security

Changes:
- Remove .npmrc (ignore-scripts no longer needed, frozen-lockfile is
  enforced by CI via --frozen-lockfile flag)
- Bump packageManager to pnpm@10.33.0
- Update CI workflows to use pnpm 10.33.0
- Update README to document pnpm 10 approach and link to docs
- Update devcontainer image tag

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: simplify dev container and supply chain sections in README

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: replace axios with native fetch to reduce supply chain attack surface

Remove axios and wait-on dependencies, replacing the axios-based fetcher
with a native fetch implementation that preserves the same error handling
and timeout behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: keep fetch timeout active until body is fully consumed

Address Copilot review: move clearTimeout after body read so the
AbortController covers slow-streaming responses, and enrich non-2xx
errors with statusText.

Co-Authored-By: copilot-pull-request-reviewer[bot] <noreply@github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: copilot-pull-request-reviewer[bot] <noreply@github.com>

Author: 3 people

lib/axios.ts

@@ -0,0 +1,28 @@
+export const fetcher = <T>(url: string): Promise<T> => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 10000);
+
+  return fetch(`/api${url}`, { signal: controller.signal })
+    .then(async (res) => {
+      if (!res.ok) {
+        const apiError = await res.json().catch(() => null);
+        clearTimeout(timeoutId);
+        if (apiError?.code) {
+          const errorMessage = apiError.error ?? "An unknown error occurred";
+          throw new Error(`${apiError.code}: ${errorMessage}`);
+        }
+        const statusText = res.statusText ? ` ${res.statusText}` : "";
+        throw new Error(`HTTP ${res.status}${statusText}`);
+      }
+      const data = (await res.json()) as T;
+      clearTimeout(timeoutId);
+      return data;
+    })
+    .catch((err) => {
+      clearTimeout(timeoutId);
+      if (err.name === "AbortError") {
+        throw new Error("Request timeout");
+      }
+      throw err;
+    });
+};

lib/fetcher.ts

@@ -46,8 +46,7 @@
     "jest-environment-jsdom": "^30.2.0",
     "ts-node": "^10.9.2",
     "typechain": "^8.1.0",
-    "typescript": "5.9.2",
-    "wait-on": "^9.0.3"
+    "typescript": "5.9.2"
   },
   "dependencies": {
     "@apollo/client": "3.13.1",
@@ -75,7 +74,6 @@
     "apollo-link": "^1.2.11",
     "apollo-link-http": "^1.5.15",
     "apollo-server-micro": "3.10.0",
-    "axios": "^0.30.3",
     "change-case": "^4.1.2",
     "copy-to-clipboard": "^3.3.3",
     "dayjs": "^1.9.6",

package.json

@@ -2,7 +2,7 @@ import "@rainbow-me/rainbowkit/styles.css";
 import "../styles/globals.css";
 
 import { ApolloProvider } from "@apollo/client";
-import { fetcher } from "@lib/axios";
+import { fetcher } from "@lib/fetcher";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { DEFAULT_CHAIN, L1_CHAIN } from "lib/chains";
 import dynamic from "next/dynamic";