Fix axios supply chain vulnerability in CI scripts

[sanjuyadav24]

Pin axios to exact versions and add --ignore-scripts to prevent
postinstall script execution in CI pipelines.

Ref: https://github.com/microsoft/azure-pipelines-agent/issues/5517

Context

AB#2376575
[Pin axios to 1.14.0 and minimist to 1.2.8 with --ignore-scripts in the canary test pipeline step.

• Version pinning ensures npm install always resolves to known-safe versions, preventing automatic installation of compromised releases.
• --ignore-scripts prevents execution of postinstall lifecycle scripts during installation. Both axios and minimist are pure JavaScript modules that do not require any build or compile steps — this flag adds defense-in-depth against supply chain attacks targeting transitive
  dependencies.](Axios supply chain attack - does this need locking to a specific version? #5517)

---

Description

Pin axios to 1.14.0 and minimist to 1.2.8 with --ignore-scripts in the canary test pipeline step.

• Version pinning ensures npm install always resolves to known-safe versions, preventing automatic installation of compromised releases.
• --ignore-scripts prevents execution of postinstall lifecycle scripts during installation. Both axios and minimist are pure JavaScript modules that do not require any build or compile steps — this flag adds defense-in-depth against supply chain attacks targeting transitive
  dependencies.

---

Risk Assessment (Low)

• Change is limited to a CI pipeline step — no impact to agent source code, build artifacts, or shipped packages.
• The packages are pure JavaScript; --ignore-scripts does not affect their runtime behavior.
• This is a strictly additive security hardening with no behavioral change to the canary test script (run-and-verify.js).

---

Unit Tests Added or Updated (No)

CI pipeline YAML change — no unit-testable code modified. The canary pipeline itself serves as the integration test.

---

Additional Testing Performed

• Verified axios@1.14.0 and minimist@1.2.8 are the latest safe versions on npm
• Confirmed run-and-verify.js functions correctly with these pinned versions (no dependency on postinstall scripts)
• Audited all three ADO canary instances (canarytest, buildcanary, canarytestpf) — confirmed no builds were exposed during the March 31 infection window

---

Change Behind Feature Flag (No)

CI pipeline hardening — feature flags are not applicable to build infrastructure changes.

---

Tech Design / Approach

No architectural changes.

---

Documentation Changes Required (Yes/No)

NA

---

Logging Added/Updated (Yes/No)

NA

---

Telemetry Added/Updated (Yes/No)

NA

---

Rollback Scenario and Process (Yes/No)

NA

---

Dependency Impact Assessed and Regression Tested (Yes/No)

NA

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).

[raujaiswal]

/azp run

[azure-pipelines]

Commenter does not have sufficient privileges for PR 5524 in repo microsoft/azure-pipelines-agent

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).