fix: add npm override for axios (CVE-2025-58754)

[jignaciopm]

Summary

Add npm overrides for axios to address CVE-2025-58754 (Denial of Service via massive data schemas in Node.js).

CVSS: 7.5 (High)
Vulnerability ID: HELICOPTER-W1162-7

Why npm overrides instead of bumping frontend-platform?

The vulnerable axios version (1.9.0) is a transitive dependency of @edx/frontend-platform. The fix was shipped in frontend-platform v8.5.5+ (axios 1.13.5+), but this MFE's release branch uses frontend-platform ^8.3.1.

Bumping frontend-platform from 8.3.x to 8.5.x on a release branch carries risk of breaking changes. The npm overrides mechanism is the standard approach to force a transitive dependency to a safe version without changing the parent package.

Note: release/verawood already ships with frontend-platform ^8.7.0 (axios 1.15.0) and is not affected.

frontend-platform axios timeline

frontend-platform	axios	Status
8.3.1	1.8.2	Safe
8.4.0 – 8.5.0	1.9.0	Vulnerable
8.5.5	1.13.5	Fixed
8.5.6+	1.15.0	Fixed

Change

"overrides": {
  "axios": "^1.9.1"
}

Test plan

• MFE builds successfully with the override
• Verify axios version in built bundle is ≥1.9.1
• Smoke test: login, registration, core MFE functionality

References

• CVE-2025-58754
• Microsoft: Mitigating the Axios npm supply chain compromise
• npm overrides documentation
• HeroDevs: Guide to NPM Overrides

[jignaciopm]

CI failure is pre-existing — not caused by this PR

The Codecov failure is a configuration issue unrelated to this PR's changes:

error - Commit creating failed: {"message":"Token required because branch is protected"}

Codecov requires an upload token (CODECOV_TOKEN) for protected branches, but the repository's CI workflow does not have this token configured for fork PRs. This affects any PR to this repository, not just this one.

What this PR changes

Only package.json (adding npm overrides for axios) and the regenerated package-lock.json. No source code changes, no test changes.