[Aikido] Fix 2 security issues in lodash, thirdweb

[aikido-autofix]

Upgrade lodash and thirdweb to mitigate critical RCE, prototype pollution, and signature nonce reuse vulnerabilities affecting system security

✅ 3 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2025-10854	🚨 CRITICAL	Metro dev server in React Native CLI allows unauthenticated remote attackers to inject OS commands via crafted POST requests, enabling arbitrary code execution, especially on Windows systems.
CVE-2025-13465	MEDIUM	[lodash] Prototype pollution vulnerability allows attackers to delete methods from global object prototypes via crafted paths in _.unset and _.omit functions, potentially disrupting application behavior without direct code execution.
AIKIDO-2024-10466	MEDIUM	[lodash] Insufficient entropy in signature algorithm allows private key recovery by reusing transaction signature nonces, enabling attackers to compromise cryptographic system security through key extraction.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2795/major-upgrade-for-react-native-communitycli
• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash

---

PR-Codex overview

This PR focuses on updating the package.json and pnpm-lock.yaml files to modify dependencies, devDependencies, and lint-staged configurations, enhancing the project setup and ensuring compatibility with newer versions of libraries.

Detailed summary

• Updated packageManager to pnpm@9.4.0.
• Modified lint-staged configuration for better formatting.
• Added lodash@<=4.17.23 to devDependencies.
• Updated thirdweb version in multiple packages.
• Upgraded various dependencies and devDependencies to their latest versions, including @babel, @types, and typescript.
• Adjusted files property in packages/agw-react/package.json for better structure.
• Added new dependencies and resolutions in pnpm-lock.yaml for better package management.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: c354ff8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily dependency-resolution changes; risk is moderate due to potentially altered transitive dependency behavior and the thirdweb version shift affecting build/test outputs.

Overview
Applies security-focused dependency adjustments: adds a pnpm.overrides rule in the root package.json to pin lodash resolution and updates @abstract-foundation/agw-react to use a newer thirdweb build in devDependencies.

Also includes small package.json formatting/ordering changes (e.g., lint-staged, typesVersions, files, and peer dependency ordering) with no functional code changes.

^{Written by Cursor Bugbot for commit c354ff8. This will update automatically on new commits. Configure here.}