[Aikido] Fix 4 security issues in axios, lodash, thirdweb and 1 more

[aikido-autofix]

Upgrade axios, lodash, thirdweb, and js-yaml to mitigate critical security vulnerabilities including prototype pollution, DoS, and potential RCE risks.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25639	HIGH	[axios] Prototype pollution vulnerability allows attackers to crash the application by crafting a malicious configuration object with proto property, resulting in a TypeError that causes complete denial of service.
CVE-2025-13465	MEDIUM	[axios] Prototype pollution vulnerability allows attackers to delete methods from global object prototypes via crafted paths in _.unset and _.omit functions, potentially disrupting application behavior without direct code execution.
AIKIDO-2024-10466	MEDIUM	[axios] Insufficient entropy in signature algorithm allows private key recovery if nonce is reused across messages, enabling attackers to compromise system security through cryptographic key extraction.
AIKIDO-2025-10809	MEDIUM	[axios] Prototype pollution vulnerability allows attackers to inject malicious keys into object prototypes via YAML input, potentially leading to remote code execution, denial of service, and other critical security breaches by manipulating object properties.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios

---

PR-Codex overview

This PR focuses on updating various dependencies in the package.json files across multiple packages, along with changes to the lint-staged configuration and adjustments in the pnpm-lock.yaml file.

Detailed summary

• Updated packageManager to pnpm@9.4.0.
• Modified lint-staged configuration for better formatting.
• Added new dependencies: axios, lodash, js-yaml.
• Updated versions of existing dependencies in multiple packages.
• Adjusted lockfileVersion in pnpm-lock.yaml.
• Upgraded several @babel packages to version 7.29.0.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[cursor]

PR Summary

Medium Risk
Dependency upgrades/pins can change runtime behavior across the monorepo (especially via pnpm.overrides) and the thirdweb nightly may introduce breaking changes despite being limited to dev/build usage.

Overview
Mitigates reported dependency vulnerabilities by adding root pnpm.overrides pins for axios, lodash, and js-yaml (plus minor formatting changes in lint-staged).

Updates packages/agw-react to use a newer thirdweb nightly in devDependencies, and applies formatting-only changes to typesVersions/files arrays.

^{Written by Cursor Bugbot for commit 4a3ebf2. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4a3ebf2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Nightly build pinned as thirdweb devDependency

Medium Severity

The thirdweb devDependency was changed from a stable semver range "^5.68.0" to a specific nightly build "5.93.5-nightly-b51157c0ff17e9535029fc8790cfa8538d1c995f-20250326000337". Nightly builds are inherently unstable, may be removed from the registry, and aren't intended for committed dependencies. Stable thirdweb releases well beyond 5.93.x exist and would be appropriate here. This looks like a testing artifact that was accidentally included in the PR.

 

[cursor]

Overrides use exact pins instead of >= ranges

Low Severity

All 13 existing pnpm overrides in this file use >= range syntax for the replacement version (e.g., ">=0.2.4"), but the three new overrides for axios, lodash, and js-yaml use exact version pins (e.g., "1.13.5"). This inconsistency means that when a transitive dependency resolves to a vulnerable version, the override will force it to exactly the current fix version rather than allowing resolution to any newer patched release. Using ">=1.13.5", ">=4.17.23", and ">=3.14.2" would match the established pattern and automatically pick up future security patches.