Summary: update to a current axe-core release and remove crypto-browserify.

Analysis: Snyk just got its teeth into an old unpatched vulnerability that is a transitive dependency of crypto-browserify that we added to stripes-webpack ( https://folio-org.atlassian.net/browse/STRWEB-4, PR #37) to deal with complaints during bundling axe-core back in November 2021.

Bug reports at axe (#210, #2873) suggest the problem is that axe is published as a single bundle whether for consumption by node or a browser, where many node APIs are not present. Solutions include the one we chose, among others:

• use a polyfill as a fallback to the webpack config, resolve.fallback: { "crypto": require.resolve("crypto-browserify") }

• use an empty module as a fallback in the webpack config, resolve.fallback: { "crypto": false }

• set crypto as one of the externals in webpack config, externals: ['crypto']

As of axe 4.4, crypto has been removed, but our stripes-testing dependency is on the specific version 4.3 (https://folio-org.atlassian.net/browse/STCOM-871 ) because we’d just been burned by a buggy release. If we leave axe at 4.3, then we should be able replace the polyfill with an empty module and limit our work to stripes-webpack. But it’s worth investigating whether the newest release (v4.10.2 as of this writing) resolves the problems.

At minimum, we need to do some work in stripes-webpack to remove the crypto-browserify dependency and either remove the fallback or use an empty one. And then we need to choose whether to update axe-core in the repositories that include it (ui-eholdings, ui-marc-authorities, stripes-authority-components, stripes-smart-components, stripes-testing).