CEXT-6026: Exclude unsafe version of axios

[pdohogne-magento]

Description

Exclude Axios version 1.14.1 and override plain-crypto-js with a local empty package if otherwise found.

Related Issue

CEXT-6026: Update axios dependency to exclude malicious version

Motivation and Context

Axios version 1.14.1 was published with a malicious dependency on plain-crypto-js (see here)

How Has This Been Tested?

Local unit tests via npm test

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

The base branch was changed.

[revanth0212]

Thanks @pdohogne-magento

What is your opinion on adding min-release-age=7 to the .npmrc file?

This setting will make sure we only prioritize package upgrades after 7 days of their release. This erases 100% of 0 day attacks and 90% of critical security threats. The industry would have figured out the attack and patched it in 7 days.

[pdohogne-magento]

To keep the PR conversation updated:

Usage of minimum release age is deferred pending further discussion. Considerations:

• npm does not currently have a way to exclude @adobe/* packages from this rule, though yarn does
• Minimum release age helps prevent problems/attacks introduced in new dependency versions, but it could also block installing urgent fixes for recently-discovered issues that were introduced in previous versions from before the restriction window.

The base branch was changed.