[Aikido] Fix 8 security issues in lodash, tmp, minimatch and 1 more

[aikido-autofix]

Upgrade lodash, tmp, minimatch, and brace-expansion to fix critical RCE via template injection, prototype pollution, symlink traversal, and ReDoS vulnerabilities.

⚠️ Incomplete breaking changes analysis (3/4 analyzed)

⚠️ Breaking changes analysis not available for: minimatch

✅ The breaking changes in lodash (4.17.21 => 4.18.0) and tmp (0.0.33 => 0.2.4) do not affect this codebase. Neither package is directly imported or used in any source files. They are transitive dependencies that are not invoked by the application code.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.0 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading tmp from version 0.0.33 to 0.2.4 (CHANGELOG)

Version	Description
0.1.0	Template no longer accepts arbitrary paths (PR gatsby-uc#180)
0.1.0	Dropped support for old Node.js versions (PR gatsby-uc#171)
0.1.0	Dropped support for Node v0.6.0 (PR gatsby-uc#152)
0.1.0	Fail early if there is no tmp dir specified (PR gatsby-uc#177)
0.2.0	tmp must not exit the process on its own (PR gatsby-uc#193)

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	HIGH	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2025-54798	MEDIUM	[tmp] is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.

[github-actions]

Package lock diff