[Aikido] Fix 8 security issues in axios, hono, lodash and 2 more

[aikido-autofix]

Upgrade axios, hono, lodash, thirdweb, and js-yaml to fix DoS via prototype pollution, authorization bypass via URL decoding mismatch, SSE/cookie injection, and timing-safe authentication vulnerabilities.

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2026-29045	HIGH	[axios] Inconsistent URL decoding between router and serveStatic allows attackers to bypass route-based middleware protections using encoded slashes (%2F) to access protected static resources without authorization.
CVE-2026-29085	MEDIUM	[axios] The streamSSE() function fails to validate event, id, and retry fields for carriage return and newline characters, allowing injection of additional SSE fields that could lead to data manipulation or client-side script injection if rendered unsafely.
CVE-2026-29086	MEDIUM	[axios] Cookie attribute injection vulnerability in setCookie() due to insufficient validation of semicolons, carriage returns, and newlines in domain and path options, allowing attackers to manipulate cookie attributes if untrusted input is passed to these fields.
GHSA-gq3j-xvxp-8hrf	LOW	[axios] Timing-safe comparison vulnerability in basicAuth and bearerAuth middlewares where hash value comparison used non-constant-time string equality, potentially allowing timing-based analysis attacks under controlled conditions.
CVE-2025-13465	MEDIUM	[axios] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths, potentially causing denial of service or unexpected application behavior.
AIKIDO-2024-10466	MEDIUM	[axios] Insufficient entropy in the signature algorithm allows attackers to recover private keys by exploiting nonce reuse across different messages. This vulnerability compromises the entire security of the signing system and enables unauthorized access to cryptographic credentials.
AIKIDO-2025-10809	MEDIUM	[axios] Prototype Pollution vulnerability in YAML merging allows attackers to inject malicious keys into object prototypes, potentially leading to remote code execution, denial of service, or other security breaches.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios

🔄 Upgrade impact analysis is in progress. Breaking changes will be added here once finalized.

---

PR-Codex overview

This PR updates various package dependencies and configurations in the package.json, pnpm-lock.yaml, and related files, including version upgrades and restructuring of certain properties.

Detailed summary

• Updated packageManager in package.json.
• Modified lint-staged configuration format.
• Added dependencies: axios, hono, lodash, and js-yaml with specific versions.
• Restructured typesVersions in packages/agw-react/package.json.
• Updated thirdweb version in multiple places.
• Enhanced devDependencies and peerDependencies for various packages.
• Removed deprecated or unused package versions.
• Fixed dependency versions for axios, viem, and others across multiple files.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8462784

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Dependency overrides and a move to a thirdweb nightly build can change runtime/build behavior across the monorepo despite being security-motivated updates.

Overview
Security-focused dependency pinning. Adds pnpm.overrides entries in the root package.json to force specific versions of axios, hono, lodash, and js-yaml (plus minor formatting cleanup), aiming to address reported vulnerabilities.

SDK dev dependency update. Updates packages/agw-react to use a pinned thirdweb nightly in devDependencies (peer range unchanged) and applies JSON formatting-only changes to typesVersions/files.

^{Written by Cursor Bugbot for commit 8462784. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Nightly thirdweb build pinned in devDependencies

Medium Severity

The thirdweb devDependency was changed from the semver range "^5.68.0" to a specific nightly build "5.93.5-nightly-b51157c0ff17e9535029fc8790cfa8538d1c995f-20250326000337". Nightly builds are inherently unstable, not meant for committed code, and can introduce unexpected breakage. The peer dependency still specifies the stable range "^5.72.0", making this inconsistent. This looks like a testing artifact that wasn't reverted before committing.

 

[cursor]

Overrides use exact versions instead of minimum ranges

Medium Severity

The new overrides for axios, hono, lodash, and js-yaml pin to exact versions (e.g., "1.13.5") instead of using the >= minimum-range pattern (e.g., ">=1.13.5") that every other override in this file follows. This means future patch releases containing additional security fixes won't be picked up automatically, potentially leaving vulnerabilities unresolved until someone manually bumps these overrides again.