Replace axios with built-in alternatives

[kuhe]

Describe the feature

Can use of axios be replaced by native node:http(s), fetch, or XMLHttpRequest?

Use Case

Because this package (aws-crt) is a dependency of the AWS SDK for JavaScript (v3), SDK users are affected by recurrent vulnerabilities discovered in the axios package.

https://security.snyk.io/package/npm/axios

Although it is ranged ^1.x, applications may not update with as much frequency as would be required.

Secondarily, it would also reduce the package size to remove this dependency.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[trivikr]

Revisiting this issues from another ticket to JS SDK team (internal JS-5564)

Axios is used in lib/browser/http.ts, and it can be easily be replaced with Fetch API

aws-crt-nodejs/lib/browser/http.ts

Line 30 in 7b3fc6c

import * as axios from "axios";

JS SDK uses fetch in fetch-http-handler.

There are codemods available to perform migration.
For example, Axios → Fetch with Codemod 2.0.

[trivikr]

Revisiting this issue from another ticket to JS SDK team (internal JS-6244)

The dependency axios needs to be replaced by fetch.

[bretambrose]

I looked into this last week and this isn't a trivial matter unfortunately.

[trivikr]

On 3/31, axios@1.14.1 and axios@0.30.4 were compromised with a supply chain attack
Details in https://socket.dev/blog/axios-npm-package-compromised

It would have impacted aws-crt-nodejs users who don't use lockfile, and/or updated their lockfile

aws-crt-nodejs/package.json

Line 57 in a201f63

"axios": "^1.12.2",

npm quicky responded and removed the malicious dependency.
But to ensure it doesn't happen again, libraries should consider replacing axios with built-in alternatives.

[bretambrose]

It is not clear how to emulate the proxy support that axios provides. Absent a solution there, we would have to take the risk that no one is using an http proxy and the browser implementation in node. I doubt anyone is doing that, but I have no way of actually knowing, hence the reluctance to move further with this.