[Aikido] Fix 5 security issues in axios, lodash, thirdweb and 2 more

[aikido-autofix]

Upgrade axios, lodash, thirdweb, js-yaml, and hono to fix DoS via prototype pollution, private key recovery via weak nonce generation, RCE via YAML prototype pollution, and timing-safe authentication comparison.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2025-13465	MEDIUM	[axios] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths, potentially causing denial of service or unexpected application behavior.
AIKIDO-2024-10466	MEDIUM	[axios] Insufficient entropy in the signature algorithm allows attackers to recover private keys by exploiting nonce reuse across different messages. This vulnerability compromises the entire security of the signing system and enables unauthorized access to cryptographic credentials.
AIKIDO-2025-10809	MEDIUM	[axios] Prototype Pollution vulnerability in YAML merging allows attackers to inject malicious keys into object prototypes, potentially leading to remote code execution, denial of service, or other security breaches.
GHSA-gq3j-xvxp-8hrf	LOW	[axios] Timing-safe comparison vulnerability in basicAuth and bearerAuth middlewares where hash value comparison used non-constant-time string equality, potentially allowing timing-based analysis attacks under controlled conditions.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios

🔄 Upgrade impact analysis is in progress. Breaking changes will be added here once finalized.

---

PR-Codex overview

This PR focuses on updating package.json and pnpm-lock.yaml files to reflect dependency upgrades, changes in scripts, and adjustments in type definitions across various packages.

Detailed summary

• Updated packageManager in package.json.
• Modified lint-staged configuration to use an array format.
• Added new dependencies: axios, lodash, js-yaml, and hono.
• Adjusted versions for existing dependencies in packages/agw-react/package.json.
• Updated thirdweb version to a nightly build.
• Adjusted peerDependenciesMeta for various packages.
• Updated dependency versions and resolutions in pnpm-lock.yaml.
• Removed deprecated packages and updated others to their latest versions.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4caf9c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Dependency overrides and a switch to a specific thirdweb nightly build can introduce behavioral or compatibility changes during builds/tests despite being primarily security-driven.

Overview
Pins vulnerable dependency versions via root pnpm.overrides, forcing axios, lodash, js-yaml, and hono to specific patched versions (plus minor lint-staged formatting changes).

Updates @abstract-foundation/agw-react to use a specific thirdweb nightly in devDependencies and applies non-functional package.json formatting tweaks (arrays/ordering).

^{Written by Cursor Bugbot for commit 4caf9c6. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Nightly thirdweb build pinned in devDependencies

Medium Severity

The thirdweb devDependency was changed from the stable range "^5.68.0" to a specific nightly pre-release build "5.93.5-nightly-...". Nightly builds are inherently unstable and not intended for committed dependencies. Stable versions like 5.96.4 are available on npm and would be more appropriate for a security-focused dependency upgrade PR.