[Aikido] Fix 5 security issues in lodash, js-yaml, @asyncapi/parser and 8 more

[aikido-autofix]

Upgrades multiple dependencies to address prototype pollution, YAML parsing, and AWS SDK vulnerabilities, mitigating potential RCE and DoS risks across libraries.

✅ Code not affected by breaking changes.

No breaking changes from either package upgrade affect this codebase.

js-yaml (3.14.1 => 4.1.1):

• The package is only used as a transitive dependency through @asyncapi/parser, @asyncapi/cli, @asyncapi/generator, and @apidevtools/json-schema-ref-parser

• No direct imports or usage of js-yaml found in the source code

• No usage of deprecated methods like safeLoad(), safeDump(), DEFAULT_SAFE_SCHEMA, DEFAULT_FULL_SCHEMA, or Schema.create() found in the codebase

• The breaking changes only affect code that directly uses js-yaml APIs, which this codebase does not

@smithy/config-resolver (3.0.12 => 4.4.0):

• The package is only used as a transitive dependency through AWS SDK packages

• No direct imports or usage of @smithy/config-resolver found in the source code

• The project's package.json does not specify a Node.js engine requirement, and the breaking change (dropping Node.js 16 support) only matters if the project is running on Node.js 16, which is not enforced or indicated in the codebase

• Since there's no direct usage and no explicit Node.js 16 constraint, this upgrade poses no risk

Both packages are used only as transitive dependencies with no direct code interaction, making the upgrades safe for this codebase.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-13465	MEDIUM	Prototype pollution vulnerability in Lodash allows attackers to delete methods from global object prototypes via crafted paths in _.unset and _.omit, potentially disrupting application functionality.
CVE-2025-64718	MEDIUM	Prototype pollution vulnerability in js-yaml allows attackers to modify object prototypes when parsing untrusted YAML, potentially leading to remote code execution or other critical security impacts.
AIKIDO-2025-10809	MEDIUM	Prototype Pollution vulnerability in YAML parsing allows attackers to inject malicious properties into object prototypes, potentially leading to remote code execution, DoS, or other security breaches through crafted input.
GHSA-6475-r3vj-m8vf	LOW	An attacker could manipulate the region input field in AWS SDK for JavaScript, potentially routing API calls to unintended or non-AWS hosts, risking improper service configuration and potential security misrouting.
CVE-2026-24001	LOW	Vulnerability in jsdiff allows DoS via infinite loop when parsing patches with specific line break characters in filename headers, consuming unlimited memory and causing process crash with minimal payload.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
cash-register-api-example-client	Error		Jan 23, 2026 11:49pm

[aikido-pr-checks]

CVE-2025-64756 in glob - high severity
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Remediation Aikido suggests bumping this package to version 10.5.0 to resolve this issue
^{View details in Aikido Security}