Skip to content

Fix axios supply chain vulnerability in CI scripts#21984

Open
sanjuyadav24 wants to merge 1 commit intomasterfrom
users/sanjuyadav/axios_install
Open

Fix axios supply chain vulnerability in CI scripts#21984
sanjuyadav24 wants to merge 1 commit intomasterfrom
users/sanjuyadav/axios_install

Conversation

@sanjuyadav24
Copy link
Copy Markdown
Contributor

@sanjuyadav24 sanjuyadav24 commented Apr 9, 2026 

Pin axios to exact versions and add --ignore-scripts to prevent
postinstall script execution in CI pipelines.

Changes:
- detect-changes.yml: npm i axios -> npm i axios@1.14.0 --ignore-scripts
- test-init.yml: add --ignore-scripts to existing pinned install
- release-notes/package.json: remove caret range (^1.12.2 -> 1.12.2)

Ref: https://github.com/microsoft/azure-pipelines-agent/issues/5517

Context

AB#2376575
Addresses supply chain vulnerability reported in microsoft/azure-pipelines-agent#5517

Task Name

NA

Description

Harden all axios installations in CI scripts against supply chain attacks

Risk Assessment (Low )

  • All changes are limited to CI infrastructure scripts — no shipped task code is modified
  • Axios is a pure JavaScript module — --ignore-scripts does not affect its runtime behavior
  • Version pins match currently installed versions — no functional change
  • Verified that run-main-and-verify.js, test-and-verify.js, and release-notes.js all function correctly with these pinned versions

Change Behind Feature Flag (Yes / No)

NA

Tech Design / Approach

NA

Documentation Changes Required (Yes/No)

NA

Unit Tests Added or Updated (Yes / No)

NA

Additional Testing Performed

NA

Logging Added/Updated (Yes/No)

NA

Telemetry Added/Updated (Yes/No)

NA

Rollback Scenario and Process (Yes/No)

NA

Dependency Impact Assessed and Regression Tested (Yes/No)

NA

Checklist

  • Related issue linked (if applicable)
  • Task version was bumped — see versioning guide
  • Verified the task behaves as expected

Fix axios supply chain vulnerability in CI scripts
b44834b 
    Pin axios to exact versions and add --ignore-scripts to prevent
    postinstall script execution in CI pipelines.

    Changes:
    - detect-changes.yml: npm i axios -> npm i axios@1.14.0 --ignore-scripts
    - test-init.yml: add --ignore-scripts to existing pinned install
    - release-notes/package.json: remove caret range (^1.12.2 -> 1.12.2)

    Ref: microsoft/azure-pipelines-agent#5517
@sanjuyadav24 sanjuyadav24 requested review from a team and tarunramsinghani as code owners April 9, 2026 10:56
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 9, 2026

Azure Pipelines:
Successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarunramsinghani tarunramsinghani Awaiting requested review from tarunramsinghani tarunramsinghani is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

internal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sanjuyadav24