[Aikido] Fix 9 security issues in lodash, @babel/traverse, ajv and 2 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerabilities in lodash template injection and @babel/traverse code evaluation, plus prototype pollution and DoS issues.

✅ Code not affected by breaking changes.

✅ No breaking changes from the lodash upgrade affect this codebase.

The codebase does not directly depend on lodash (it's not listed in package.json dependencies), and none of the source code files (lib/index.js, bin/lock-diff.js, __tests__/index.test.js) import or use lodash methods. The affected methods (_.unset, _.omit, _.template) are not used anywhere in the codebase.

Lodash only appears as a transitive dependency through other packages like table, eslint, and inquirer, but those packages will manage their own compatibility with lodash versions.

All breaking changes by upgrading lodash from version 4.17.15 to 4.18.0 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 9 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	HIGH	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
NSWG-ECO-516	HIGH	[lodash] Prototype pollution attack (lodash)
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
AIKIDO-2025-10745	MEDIUM	[@babel/traverse] A vulnerability allows remote code execution during compilation when processing malicious input with certain plugins that use internal evaluation methods. This affects plugins like @babel/plugin-transform-runtime and @babel/preset-env with useBuiltIns option.
CVE-2020-15366	MEDIUM	[ajv] A prototype pollution vulnerability in the validate() function allows arbitrary code execution through a maliciously crafted JSON schema. This enables remote code execution when processing untrusted schemas, exceeding the expected denial of service impact.
CVE-2025-69873	LOW	[ajv] A ReDoS vulnerability allows attackers to inject malicious regex patterns via the $data option, causing catastrophic backtracking and CPU exhaustion. A 31-character payload can block execution for ~44 seconds, enabling complete denial of service with minimal effort.
CVE-2021-3807	LOW	[ansi-regex] is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-25883	LOW	[semver] Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.