[Aikido] Fix 12 security issues in next, chevrotain, ai and 1 more

[aikido-autofix]

Upgrade dependencies to fix critical unauthenticated RCE in React Server Components payload deserialization and high-severity DoS vulnerabilities.

✅ 12 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2025-10869	🚨 CRITICAL	[next] React Server Components payload decoding flaw allows unauthenticated remote code execution through crafted HTTP requests to Server Function endpoints, even without explicitly implemented endpoints. Attackers can achieve arbitrary code execution on affected servers.
CVE-2025-55182	🚨 CRITICAL	[next] A pre-authentication remote code execution vulnerability exists in React Server Components due to unsafe deserialization of HTTP request payloads to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server.
GHSA-mwv6-3258-q52c	HIGH	[next] A malicious HTTP request to App Router endpoints can cause server process hangs and excessive CPU consumption during deserialization, resulting in denial of service attacks.
GHSA-h25m-26qc-wcjf	HIGH	[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage, out-of-memory exceptions, or server crashes, resulting in denial of service.
AIKIDO-2025-10936	HIGH	[next] A malicious HTTP request to Server Functions endpoints can trigger an infinite loop during deserialization, causing server hang and high CPU consumption. This affects applications using React Server Components even without explicit Server Function implementations.
GHSA-w37m-7fhw-fmv9	MEDIUM	[next] A malicious HTTP request can expose compiled source code of Server Functions in affected React packages and frameworks, potentially revealing business logic through information disclosure.
AIKIDO-2025-10937	MEDIUM	[next] A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
AIKIDO-2026-10095	LOW	[next] Multiple incomplete DoS mitigations in React Server Components allow specially crafted HTTP requests to Server Function endpoints to trigger server crashes, out-of-memory conditions, or excessive CPU usage. Applications not using React Server Components or server-side React functionality are unaffected.
CVE-2025-59471	LOW	[next] A denial of service vulnerability in the Image Optimizer endpoint allows attackers to exhaust server memory by requesting optimization of arbitrarily large images when remotePatterns is configured. This causes out-of-memory conditions and application unavailability.
CVE-2025-13465	MEDIUM	[next] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths, potentially causing denial of service or unexpected application behavior.
AIKIDO-2026-10269	LOW	[next] An unbounded download vulnerability allows adversaries to exhaust application resources through large or uncontrolled downloads, causing denial-of-service by excessive memory/CPU usage and potential crashes. The issue stems from missing size limits on download operations.
AIKIDO-2025-10843	LOW	[next] Regular expression denial of service (ReDoS) vulnerability in markdown parsing allows crafted input to cause excessive backtracking and performance degradation. The vulnerability has been fixed by replacing inefficient regex patterns with deterministic string-based parsing logic.