Fix axios supply chain vulnerability in CI scripts (#5524)

sanjuyadav24 · web-flow · commit ac815af30592 · 2026-04-23T09:58:56.000+05:30
* Fix axios supply chain vulnerability in CI scripts Pin axios to exact versions and add --ignore-scripts to prevent postinstall script execution in CI pipelines. Ref: #5517 * Added npm ci and private feed
diff --git a/.azure-pipelines/pipeline.yml b/.azure-pipelines/pipeline.yml
@@ -129,9 +129,12 @@ extends:
           timeoutInMinutes: 300
           steps:
           - template: /.azure-pipelines/get-pat.yml@self
+          - task: NpmAuthenticate@0
+            inputs:
+              workingFile: .azure-pipelines/scripts/.npmrc
           - bash: |
               cd ./.azure-pipelines/scripts/
-              npm install axios minimist
+              npm ci --ignore-scripts
 
               releaseBranch="${{ parameters.branch }}"
               sourceBranch="$(Build.SourceBranch)"
diff --git a/.azure-pipelines/scripts/.npmrc b/.azure-pipelines/scripts/.npmrc
@@ -0,0 +1,3 @@
+registry=https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/
+
+always-auth=true
diff --git a/.azure-pipelines/scripts/package-lock.json b/.azure-pipelines/scripts/package-lock.json
diff --git a/.azure-pipelines/scripts/package.json b/.azure-pipelines/scripts/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "azure-pipelines-canary-scripts",
+  "version": "1.0.0",
+  "private": true,
+  "description": "CI scripts for Azure Pipelines Agent canary tests",
+  "dependencies": {
+    "axios": "1.14.0",
+    "minimist": "1.2.8"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+registry=https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/`
	`2`	`+`
	`3`	`+always-auth=true`