[Aikido] Fix security issue in socket.io-parser via minor version upgrade from 4.2.4 to 4.2.6

[aikido-autofix]

Upgrade socket.io-parser to fix memory exhaustion DoS vulnerability caused by malicious binary attachment packets.

✅ Code not affected by breaking changes.

No breaking changes affect this codebase. The socket.io-parser package is only a transitive dependency through @metamask/sdk → socket.io-client → socket.io-parser. The codebase does not directly use socket.io-parser or socket.io-client, nor does it handle binary attachments through these libraries. The new limit on binary attachments in version 4.2.6 will not impact this codebase.

All breaking changes by upgrading socket.io-parser from version 4.2.4 to 4.2.6 (CHANGELOG)

Version	Description
4.2.6	Added a limit to the number of binary attachments, which restricts previously unlimited attachment behavior

✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33151	HIGH	[socket.io-parser] A specially crafted Socket.IO packet can cause the server to buffer a large number of binary attachments, leading to memory exhaustion and denial of service.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-3051/small-upgrade-for-socketio-parser

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2d613c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily a dependency/lockfile update, but the lockfile churn (notably socket.io-parser 4.2.4→4.2.6 and broad transitive re-resolution) could impact runtime behavior for packages that consume the updated dependency graph.

Overview
Upgrades socket.io-parser from 4.2.4 to 4.2.6 (via socket.io-client) to mitigate a memory-exhaustion DoS issue by limiting binary attachment handling.

Also regenerates pnpm-lock.yaml, causing broad transitive dependency re-resolution (e.g., many packages now resolve against zod@3.25.51, plus minor metadata/version adjustments like socket.io-parser’s debug peer update), and reformats the lint-staged config in package.json without changing behavior.

^{Written by Cursor Bugbot for commit 2d613c1. This will update automatically on new commits. Configure here.}