[Aikido] Fix 5 security issues in axios, lodash, thirdweb and 2 more

[aikido-autofix]

Upgraded dependencies to address critical security vulnerabilities including prototype pollution, nonce reuse, and timing-safe authentication in axios, lodash, thirdweb, js-yaml, and hono.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2025-13465	MEDIUM	[axios] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths, potentially causing denial of service or unexpected application behavior.
AIKIDO-2024-10466	MEDIUM	[axios] Insufficient entropy in the signature algorithm allows attackers to recover private keys by exploiting nonce reuse across different messages. This vulnerability compromises the entire security of the signing system and enables unauthorized access to cryptographic credentials.
AIKIDO-2025-10809	MEDIUM	[axios] Prototype Pollution vulnerability in YAML merging allows attackers to inject malicious keys into object prototypes, potentially leading to remote code execution, denial of service, or other security breaches.
GHSA-gq3j-xvxp-8hrf	LOW	[axios] Timing-safe comparison vulnerability in basicAuth and bearerAuth middlewares where hash value comparison used non-constant-time string equality, potentially allowing timing-based analysis attacks under controlled conditions.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios

---

PR-Codex overview

This PR focuses on updating dependencies and configurations in the package.json files across multiple packages, ensuring compatibility and introducing new features or fixes.

Detailed summary

• Updated packageManager to pnpm@9.4.0.
• Modified lint-staged configuration for better formatting.
• Added new dependencies: axios, lodash, js-yaml, hono.
• Updated thirdweb version in multiple packages.
• Updated various devDependencies to newer versions.
• Enhanced type definitions in packages/agw-react/package.json.
• Updated pnpm-lock.yaml with new lockfile version and dependency resolutions.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2c0f409

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Dependency override pins and a thirdweb version jump can introduce subtle runtime/compatibility changes across the monorepo despite being security-motivated.

Overview
Updates repo dependency resolution to address reported security issues by adding pnpm.overrides pins for axios, lodash, js-yaml, and hono (and minor override formatting changes) in the root package.json.

Updates @abstract-foundation/agw-react tooling metadata formatting and bumps its devDependencies.thirdweb to a specific 5.93.5-nightly build while keeping thirdweb as an optional peer dependency range.

^{Written by Cursor Bugbot for commit 2c0f409. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Nightly thirdweb may break published types

Medium Severity

@abstract-foundation/agw-react now builds/tests against a pinned prerelease thirdweb (5.93.5-nightly-...) while advertising a stable peerDependencies range (thirdweb: ^5.72.0). This can generate dist typings/JS that rely on nightly-only APIs, causing consumer breakage even when their installed thirdweb satisfies the peer range.