[Aikido] Fix 11 security issues in hono, socket.io-parser, h3 and 3 more

[aikido-autofix]

Upgrade dependencies to fix critical authorization bypass in Hono, memory exhaustion DoS in Socket.IO, SSE injection in h3, and DoS vulnerabilities in Axios and related packages.

✅ 11 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-29045	🚨 CRITICAL	[hono] URL decoding inconsistency between router and serveStatic allows bypassing route-based middleware protections via encoded slashes (%2F), enabling unauthorized access to protected static resources. This vulnerability permits attackers to circumvent authorization checks through path manipulation.
CVE-2026-29085	MEDIUM	[hono] Improper input validation in streamSSE() allows injection of arbitrary SSE fields through unvalidated carriage return and newline characters in event, id, and retry fields, enabling protocol manipulation and potential information disclosure or DoS attacks.
CVE-2026-29086	MEDIUM	[hono] The setCookie() utility fails to validate semicolons, carriage returns, and newlines in domain and path options, allowing attackers to inject additional cookie attributes through untrusted input. This could lead to cookie manipulation and potential security bypasses.
GHSA-v8w9-8mx6-g223	MEDIUM	[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
GHSA-gq3j-xvxp-8hrf	LOW	[hono] The basicAuth and bearerAuth middlewares used non-timing-safe string comparison for hash validation, potentially allowing timing-based analysis attacks. The vulnerability has been fixed by implementing constant-time comparison to prevent early termination.
CVE-2026-33151	HIGH	[socket.io-parser] A specially crafted Socket.IO packet can cause the server to buffer a large number of binary attachments, leading to memory exhaustion and denial of service.
CVE-2026-33128	HIGH	[h3] Missing newline sanitization in SSE message formatting allows attackers who control message fields to inject arbitrary SSE events, enabling event spoofing, phishing, and denial-of-service attacks on connected clients. This framework-level vulnerability affects any application using SSE with user-controlled data.
GHSA-4hxc-9384-m385	MEDIUM	[h3] The EventStream class fails to sanitize carriage return (\r) characters in data and comment fields, allowing attackers to inject arbitrary SSE events, spoof event types, and split single push() calls into multiple browser-parsed events. This bypasses a prior fix that only addressed newline (\n) injection.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
AIKIDO-2024-10466	MEDIUM	[viem] Insufficient entropy in the signature algorithm allows nonce reuse across transactions, enabling attackers to recover the private key and compromise cryptographic security.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios
• https://linear.app/cube-labs/issue/CUB-3055/minor-upgrade-for-h3
• https://linear.app/cube-labs/issue/CUB-3051/small-upgrade-for-socketio-parser

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3c50637

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily dependency/version resolution changes to address known vulnerabilities; risk is moderate due to potential runtime behavior differences from forced transitive version pins (and a thirdweb devDependency change) affecting builds/tests.

Overview
Applies security-focused dependency resolution fixes by adding pnpm.overrides pins for vulnerable transitive packages (hono, socket.io-parser, h3, axios, lodash, plus tmp) in the root package.json.

In packages/agw-react/package.json, updates the thirdweb devDependency to a specific nightly build; the remaining edits are formatting-only (JSON arrays/ordering) and do not change package semantics.

^{Written by Cursor Bugbot for commit 3c50637. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Nightly thirdweb build accidentally committed in security PR

Medium Severity

The thirdweb devDependency was changed from stable "^5.68.0" to a nightly build "5.93.5-nightly-b51157c0ff17e9535029fc8790cfa8538d1c995f-20250326000337". This change is unrelated to any of the 11 CVEs being fixed in this PR — the project's viem is already at 2.45.1+, well above the 2.21.49 fix for the viem CVE. Nightly builds are inherently unstable and can be unpublished from npm at any time, which would break reproducible installs for all contributors.