fix(deps): pin @tauri-apps/plugin-http to 2.5.4 to match Rust crate

[aspiers]

Problem

@tauri-apps/plugin-http 2.5.5+ changed the fetch_read_body IPC command from a Channel-based streaming API to returning tauri::ipc::Response directly. This is a breaking IPC contract change — the JS and Rust sides must be updated together.

With a loose ^2.5.1 specifier in package.json, a clean bun install resolves to 2.5.7, while the Rust side in Cargo.lock stays at 2.5.4. This causes every fetch call via tauriFetch to silently fail with:

invalid args `streamChannel` for command `fetch_read_body`: command fetch_read_body missing required key streamChannel

This manifests as Groq/OpenAI SDK calls failing silently — the IPC error is not a Groq.APIError or OpenAI.APIError, so it gets re-thrown and swallowed as an unhandled rejection with no user-visible message.

The root cause is tracked upstream at tauri-apps/plugins-workspace#3276.

Proposed fix

Pin @tauri-apps/plugin-http to exactly 2.5.4 in package.json until the Rust crate is also updated to 2.5.5+. This prevents bun install from silently pulling a JS version that is incompatible with the locked Rust crate.

The change is minimal:

--- a/apps/whispering/package.json
+++ b/apps/whispering/package.json
@@ -63,7 +63,7 @@
     "@tauri-apps/plugin-dialog": "^2.3.2",
     "@tauri-apps/plugin-fs": "^2.4.1",
     "@tauri-apps/plugin-global-shortcut": "^2.3.0",
-    "@tauri-apps/plugin-http": "^2.5.1",
+    "@tauri-apps/plugin-http": "2.5.4",
     "@tauri-apps/plugin-log": "~2",
     "@tauri-apps/plugin-notification": "^2.3.0",
     "@tauri-apps/plugin-opener": "^2.4.0",

(bun.lock also updates to resolve to 2.5.4 instead of 2.5.7.)

Notes

• This is a short-term workaround. The proper fix is either to bump the Rust crate to match, or for upstream to add version handshaking so mismatches are caught at install time rather than silently at runtime.
• The related fix in PR fix(groq): surface non-APIError fetch failures as WhisperingError #1377 also helps by ensuring that non-APIError fetch failures are surfaced as user-visible errors rather than swallowed.