[Aikido] Fix 7 security issues in lodash, @actions/github, @octokit/core

[aikido-autofix]

Upgrade lodash, @actions/github, and @octokit/core to fix critical RCE vulnerability in template compilation via unsafe Function() constructor usage with untrusted imports.

⚠️ Incomplete breaking changes analysis (1/3 analyzed)

⚠️ Breaking changes analysis not available for: @actions/github, @octokit/core

✅ No breaking changes affect this codebase:

lodash (4.17.21 => 4.18.1): The codebase only uses _.filter() and _.merge(). The breaking changes to _.unset(), _.omit(), and _.template() do not affect this code as these methods are not used.

@octokit packages: The @actions/github@6.0.1 dependency already includes the target versions of all @octokit packages (@octokit/endpoint@9.0.6, @octokit/plugin-paginate-rest@9.2.2, @octokit/request@8.4.1, @octokit/request-error@5.1.1). The upgrade is effectively already in place through the transitive dependencies. Additionally, the action runs on Node 20, which satisfies the Node.js >= 18 requirement, and the code doesn't use custom HTTP agents or forbidden request options.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 7 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
AIKIDO-2025-10094	LOW	[@octokit/endpoint] Improper header parsing for GraphQL endpoints allows attackers to craft malicious inputs triggering ReDoS through excessive regex backtracking, causing denial of service and performance degradation.
CVE-2025-25288	LOW	[@octokit/plugin-paginate-rest] A ReDoS (Regular Expression Denial of Service) vulnerability exists in the pagination iterator when processing malicious link headers, allowing attackers to cause denial of service through specially crafted requests.
CVE-2025-25290	LOW	[@octokit/request] A ReDoS vulnerability in the link header parsing regex allows attackers to cause excessive CPU usage and service unavailability through specially crafted HTTP responses. The unbounded regex pattern is susceptible to catastrophic backtracking when processing malicious input.
CVE-2025-25289	LOW	[@octokit/request-error] A Regular Expression Denial of Service (ReDoS) vulnerability in HTTP header processing allows attackers to cause excessive resource consumption and DoS by sending malformed authorization headers with long space sequences. This can significantly degrade performance or crash services.

[aikido-pr-checks]

4 Open source vulnerabilities detected - critical severity
Aikido detected 4 vulnerabilities across 1 package, it includes 1 critical and 3 high vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #9