[Aikido] Fix 3 security issues in lodash, thirdweb, js-yaml

[aikido-autofix]

Upgrade dependencies to mitigate prototype pollution in Lodash, address nonce reuse in Thirdweb, and prevent YAML prototype pollution with potential RCE risks.

✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-13465	MEDIUM	[lodash] Prototype pollution vulnerability allows attackers to delete methods from global object prototypes via crafted paths in _.unset and _.omit functions, potentially disrupting application behavior without direct code execution.
AIKIDO-2024-10466	MEDIUM	[lodash] Insufficient entropy in signature algorithm allows private key recovery by reusing transaction signature nonces, enabling attackers to compromise cryptographic system security through key extraction.
AIKIDO-2025-10809	MEDIUM	[lodash] Prototype pollution vulnerability allows attackers to inject malicious properties into object prototypes via crafted YAML input, potentially leading to remote code execution, denial of service, or other critical security breaches by exploiting insufficient property validation.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash

---

PR-Codex overview

This PR focuses on updating various dependencies in the project, including @babel, @tanstack/react-query, and thirdweb, while also modifying the configuration for lint-staged and biome. It enhances compatibility and ensures the project uses the latest features and fixes.

Detailed summary

• Updated packageManager to pnpm@9.4.0.
• Modified lint-staged configuration to improve formatting.
• Added dependencies: lodash and js-yaml.
• Updated thirdweb version to 5.93.5-nightly.
• Upgraded @babel packages to 7.29.0.
• Updated typescript to 5.9.3.
• Updated @tanstack/react-query to 5.90.20.
• Adjusted peerDependenciesMeta for compatibility.
• Updated various package versions in pnpm-lock.yaml for consistency.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6c92be4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily dependency pinning/upgrades for security, but it can affect build/runtime behavior if consumers or tooling expect different lodash/js-yaml resolution or if the thirdweb nightly introduces regressions.

Overview
Adds pnpm.overrides pins for lodash (4.17.23) and js-yaml (3.14.2) to mitigate reported transitive dependency vulnerabilities.

Updates packages/agw-react to use a newer nightly thirdweb version in devDependencies; remaining changes are JSON formatting/ordering tweaks (e.g., lint-staged, typesVersions, files).

^{Written by Cursor Bugbot for commit 6c92be4. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Incomplete js-yaml override misses vulnerable 4.x versions

Medium Severity

The js-yaml override "js-yaml@<=3.14.2": "3.14.2" only covers the 3.x branch of the vulnerability. According to CVE-2025-64718, vulnerable versions include <3.14.2 AND >=4.0.0 <4.1.1. The 4.x vulnerable versions (4.0.0 and 4.1.0) are not covered by any override. If a transitive dependency pins to js-yaml 4.0.0 or 4.1.0, those vulnerable versions could be installed, leaving the prototype pollution vulnerability unaddressed for the 4.x branch.