[Aikido] Fix 11 security issues in hono, socket.io-parser, h3 and 3 more

[aikido-autofix]

Upgrade dependencies to fix critical authorization bypass in Hono, memory exhaustion DoS in Socket.IO, SSE injection in h3, and DoS vulnerabilities in Axios and related packages.

✅ 11 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-29045	🚨 CRITICAL	[hono] URL decoding inconsistency between router and serveStatic allows bypassing route-based middleware protections via encoded slashes (%2F), enabling unauthorized access to protected static resources. This vulnerability permits attackers to circumvent authorization checks through path manipulation.
CVE-2026-29085	MEDIUM	[hono] Improper input validation in streamSSE() allows injection of arbitrary SSE fields through unvalidated carriage return and newline characters in event, id, and retry fields, enabling protocol manipulation and potential information disclosure or DoS attacks.
CVE-2026-29086	MEDIUM	[hono] The setCookie() utility fails to validate semicolons, carriage returns, and newlines in domain and path options, allowing attackers to inject additional cookie attributes through untrusted input. This could lead to cookie manipulation and potential security bypasses.
GHSA-v8w9-8mx6-g223	MEDIUM	[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
GHSA-gq3j-xvxp-8hrf	LOW	[hono] The basicAuth and bearerAuth middlewares used non-timing-safe string comparison for hash validation, potentially allowing timing-based analysis attacks. The vulnerability has been fixed by implementing constant-time comparison to prevent early termination.
CVE-2026-33151	HIGH	[socket.io-parser] A specially crafted Socket.IO packet can cause the server to buffer a large number of binary attachments, leading to memory exhaustion and denial of service.
CVE-2026-33128	HIGH	[h3] Missing newline sanitization in SSE message formatting allows attackers who control message fields to inject arbitrary SSE events, enabling event spoofing, phishing, and denial-of-service attacks on connected clients. This framework-level vulnerability affects any application using SSE with user-controlled data.
GHSA-4hxc-9384-m385	MEDIUM	[h3] The EventStream class fails to sanitize carriage return (\r) characters in data and comment fields, allowing attackers to inject arbitrary SSE events, spoof event types, and split single push() calls into multiple browser-parsed events. This bypasses a prior fix that only addressed newline (\n) injection.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
AIKIDO-2024-10466	MEDIUM	[viem] Insufficient entropy in the signature algorithm allows nonce reuse across transactions, enabling attackers to recover the private key and compromise cryptographic security.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2899/small-upgrade-for-lodash
• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono
• https://linear.app/cube-labs/issue/CUB-2965/minor-upgrade-for-axios
• https://linear.app/cube-labs/issue/CUB-3055/minor-upgrade-for-h3
• https://linear.app/cube-labs/issue/CUB-3051/small-upgrade-for-socketio-parser

---

PR-Codex overview

This PR focuses on updating dependency versions and restructuring configuration in package.json and related files to enhance project setup and maintainability.

Detailed summary

• Updated packageManager in package.json.
• Modified lint-staged configuration for better readability.
• Added new dependencies: hono, socket.io-parser, h3, axios, lodash.
• Updated thirdweb version in packages/agw-web/package.json.
• Adjusted devDependencies and peerDependencies across multiple files.
• Improved typesVersions formatting in packages/agw-react/package.json.
• Updated various package versions in pnpm-lock.yaml.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6b95d0d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Medium Risk
Primarily dependency/lock-level changes to address multiple known CVEs; risk is moderate because forced overrides can introduce subtle runtime incompatibilities across the workspace.

Overview
Adds pnpm.overrides pins in the root package.json to force patched versions of hono, socket.io-parser, h3, axios, and lodash (plus related packages), addressing reported security vulnerabilities.

Also updates formatting in lint-staged/package metadata and bumps packages/agw-react dev dependency thirdweb to a specific nightly build, with no code logic changes.

^{Written by Cursor Bugbot for commit 6b95d0d. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Nightly thirdweb build committed in security fix PR

Medium Severity

The thirdweb devDependency was changed from "^5.68.0" to a nightly pre-release build ("5.93.5-nightly-b51157c0ff17e9535029fc8790cfa8538d1c995f-20250326000337"). This appears to be a testing artifact accidentally included in a PR that's meant to only fix security vulnerabilities. Nightly builds are unstable by definition and pinning to one in a committed package.json can cause reproducibility issues and unexpected breakage.