[2c] Replace axios (CVE-2023-45857) with native fetch

[kalwalt]

Summary

Replace axios with native fetch to eliminate unpatched CVE-2023-45857 / SSRF vulnerability

Environment

• Product/Service: FeatureSET-Display — JavaScript API
• File: src/Utils.js
• Dependency: axios 0.26.x

Problem Description

axios 0.26.x has unpatched CVEs including CVE-2023-45857 (SSRF). The two Utils.js methods (fetchRemoteData, fetchRemoteDataBlob) only use axios.get(url, { responseType: 'arraybuffer' }) — functionality natively available in the browser via fetch().then(r => r.arrayBuffer()). Replacing axios removes the vulnerability entirely and eliminates a runtime dependency.

Expected Behavior

fetchRemoteData and fetchRemoteDataBlob use the browser-native fetch API. axios is removed from package.json. No CVEs remain from this dependency.

Actual Behavior

axios 0.26.x is bundled and shipped with unpatched SSRF vulnerability CVE-2023-45857.

Error Details

CVE-2023-45857 — axios <=1.5.1: SSRF via crafted request
Severity: High
Affected: axios 0.26.x (current)

Tasks

• Replace fetchRemoteData in src/Utils.js with a fetch-based implementation
• Replace fetchRemoteDataBlob in src/Utils.js with a fetch-based implementation
• Remove axios from package.json dependencies and run npm install to update the lock file

Impact

High — Unpatched security vulnerability (CVE-2023-45857 / SSRF) shipped in the bundle. Fix is a one-line change per method.

Additional Context

Replacement pattern:

async fetchRemoteData(url) {
  const res = await fetch(url);
  return res.arrayBuffer();
}

No external dependency needed. Works in all modern browsers and Node 18+.