[Aikido] Fix 21 security issues in h3, lodash, thirdweb and 5 more

[aikido-autofix]

Upgrade dependencies to fix critical vulnerabilities: H3 SSE injection, Lodash code execution via template imports, Axios proxy bypass/SSRF, and Hono authentication bypass in static file serving.

⚠️ Incomplete breaking changes analysis (6/8 analyzed)

⚠️ Breaking changes analysis not available for: thirdweb, follow-redirects

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading socket.io-parser from version 4.2.4 to 4.2.6 (CHANGELOG)

Version	Description
4.2.6	Added a limit to the number of binary attachments, which restricts previously unlimited attachment behavior

All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)

Version	Description
v6.1.5	Inherited enumerable properties are now ignored, which may affect code that previously relied on merging inherited properties from prototype chains

✅ 21 CVEs resolved by this upgrade, including 4 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33128	🚨 CRITICAL	[h3] createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization, allowing attackers who control SSE message fields to inject arbitrary events to connected clients.
GHSA-4hxc-9384-m385	MEDIUM	[h3] The EventStream class fails to sanitize carriage return (\r) characters in data and comment fields, allowing attackers to inject arbitrary SSE events, spoof event types, and split single push() calls into multiple browser-parsed events. This bypasses a prior fix that only addressed newline (\n) injection.
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2025-62718	🚨 CRITICAL	[axios] Improper hostname normalization in NO_PROXY rule checking allows requests to loopback addresses (localhost., [::1]) to bypass proxy protections, enabling proxy bypass and potential SSRF attacks against internal services. This vulnerability permits attackers to reach sensitive services despite configured NO_PROXY protections.
CVE-2026-40175	HIGH	[axios] A prototype pollution vulnerability in Axios can be exploited through gadget chains to escalate into Remote Code Execution (RCE) or bypass AWS IMDSv2 for cloud compromise. This affects any third-party dependencies using the library.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2026-29045	🚨 CRITICAL	[hono] URL decoding inconsistency between router and serveStatic allows bypassing route-based middleware protections via encoded slashes (%2F), enabling unauthorized access to protected static resources. This vulnerability permits attackers to circumvent authorization checks through path manipulation.
CVE-2026-29085	MEDIUM	[hono] Improper input validation in streamSSE() allows injection of arbitrary SSE fields through unvalidated carriage return and newline characters in event, id, and retry fields, enabling protocol manipulation and potential information disclosure or DoS attacks.
CVE-2026-39409	MEDIUM	[hono] The ipRestriction() middleware fails to canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow/deny rules, allowing attackers to bypass IP-based access controls in dual-stack environments.
CVE-2026-29086	MEDIUM	[hono] The setCookie() utility fails to validate semicolons, carriage returns, and newlines in domain and path options, allowing attackers to inject additional cookie attributes through untrusted input. This could lead to cookie manipulation and potential security bypasses.
GHSA-26pp-8wgv-hjvm	MEDIUM	[hono] Cookie names are not validated in setCookie(), serialize(), or serializeSigned(), allowing invalid characters that can cause malformed Set-Cookie headers and runtime errors when processing untrusted cookie names.
GHSA-v8w9-8mx6-g223	MEDIUM	[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
CVE-2026-39410	MEDIUM	[hono] A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed, enabling attacker-controlled cookies to override legitimate ones through key normalization.
GHSA-458j-xx4x-4375	MEDIUM	[hono] Improper validation of JSX attribute names allows malformed keys to inject unintended HTML attributes or elements during server-side rendering, potentially leading to XSS attacks when untrusted input is used as attribute keys.
GHSA-gq3j-xvxp-8hrf	LOW	[hono] The basicAuth and bearerAuth middlewares used non-timing-safe string comparison for hash validation, potentially allowing timing-based analysis attacks. The vulnerability has been fixed by implementing constant-time comparison to prevent early termination.
CVE-2026-33151	HIGH	[socket.io-parser] A specially crafted Socket.IO packet can cause the server to buffer an excessive number of binary attachments, leading to memory exhaustion and denial of service.
CVE-2026-35209	HIGH	[defu] Prototype pollution vulnerability in the defu function allows attackers to override default object properties through crafted __proto__ payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.
GHSA-r4q5-vmmm-2653	MEDIUM	[follow-redirects] Custom authentication headers (e.g., X-API-Key, X-Auth-Token) are leaked to redirect targets on cross-domain redirects because only standard headers are stripped. This enables attackers to capture sensitive credentials through malicious redirects.
AIKIDO-2024-10466	MEDIUM	[viem] Insufficient entropy in the signature algorithm allows nonce reuse across transactions, enabling attackers to recover the private key and compromise cryptographic security.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios
• https://linear.app/cube-labs/issue/CUB-3055/minor-upgrade-for-h3
• https://linear.app/cube-labs/issue/CUB-3051/small-upgrade-for-socketio-parser
• https://linear.app/cube-labs/issue/CUB-3077/small-upgrade-for-defu
• https://linear.app/cube-labs/issue/CUB-3103/minor-upgrade-for-follow-redirects

🔄 Upgrade impact analysis is in progress. Breaking changes will be added here once finalized.

---

PR-Codex overview

This PR focuses on updating various dependencies in the package.json and pnpm-lock.yaml files, enhancing the project’s compatibility and performance. It also modifies the structure of lint-staged configurations and adjusts type definitions for better clarity.

Detailed summary

• Updated packageManager version in package.json.
• Modified lint-staged configuration to use array syntax.
• Added several new dependencies with specific version constraints.
• Adjusted existing dependency versions for tmp, h3, lodash, axios, hono, socket.io-parser, defu, and follow-redirects.
• Changed typesVersions structure in packages/agw-react/package.json.
• Updated files field in packages/agw-react/package.json to array format.
• Updated thirdweb version in packages/agw-react/package.json.
• Updated dependency versions in pnpm-lock.yaml, including @tanstack/react-query and viem.
• Removed deprecated entries and adjusted peer dependencies in pnpm-lock.yaml.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: f667c1a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR