[Aikido] Fix 5 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more

[aikido-autofix]

Upgrade dependencies to patch prototype pollution, ReDoS, and AWS SDK configuration vulnerabilities that could enable remote code execution and service disruption. This update includes breaking changes that require manual migration.

⚠️ Code affected by breaking changes.

The breaking changes affect this codebase because the project uses these packages as transitive dependencies, and the Node.js version requirements have increased significantly:

minimatch 9.0.5 => 10.2.1

• Where your code is affected: Used transitively through @asyncapi/cli → @oclif/core (example-client/package.json:20, example-client/package-lock.json shows multiple instances)

• Impact: Upgrading to minimatch 10.x requires Node.js 20 or 22+, while the current version 9.0.5 works with Node.js 16+. If the project is running on Node.js 18 or 19, the upgrade will break.

• Remediation: Verify the project runs on Node.js 20+ and add an explicit engines field in package.json to enforce this requirement.

@smithy/config-resolver 3.0.12 => 4.4.0

• Where your code is affected: Used transitively through AWS SDK packages in @asyncapi/cli dependencies (example-client/package-lock.json shows usage in @aws-sdk/client-s3 and @aws-sdk/client-cloudfront)

• Impact: Version 4.x drops Node.js 16 support. If running on Node.js 16, the upgrade will fail.

• Remediation: Ensure the project runs on Node.js 18+ minimum (already required by @oclif/core v3).

Critical Note: The project currently has no explicit Node.js version constraint in its package.json, but dependencies already require Node.js 18+. These upgrades would further increase the minimum to Node.js 20+.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2025-64718	MEDIUM	[lodash] A prototype pollution vulnerability allows attackers to modify object prototypes through malicious YAML documents, potentially enabling arbitrary code execution or application compromise when parsing untrusted input.
AIKIDO-2025-10809	MEDIUM	[lodash] A prototype pollution vulnerability in object merging allows attackers to inject malicious properties via crafted YAML input, potentially leading to remote code execution, denial of service, or other security breaches.
CVE-2026-26996	LOW	[lodash] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. User-controlled glob patterns can trigger hangs or extreme slowdowns, enabling denial of service attacks.
GHSA-6475-r3vj-m8vf	LOW	[lodash] Invalid region values in AWS SDK configuration could allow improper routing of API calls to non-AWS hosts if an actor with environment access sets the region field to an invalid value. A validation enhancement has been implemented to ensure regions are valid host labels.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cash-register-api-example-client	Error		Feb 23, 2026 11:43pm