[Aikido] Fix 8 security issues in lodash, @actions/core, @actions/github and 2 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerability in lodash template injection via options.imports and prototype pollution. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (2/5 analyzed)

⚠️ Breaking changes analysis not available for: @actions/core, @actions/github, @octokit/core

⚠️ The upgrade has breaking changes that affect this codebase:

uuid (8.3.2 => 14.0.0)

Where your code is affected: The uuid package is used as a dependency of aws-sdk (visible in package-lock.json). The action runs using node24 (specified in action.yml).

Impact: The uuid v14 requires Node.js 20+ and expects crypto to be globally defined. While the action uses node24 which satisfies this requirement, the aws-sdk dependency uses uuid v8.0.0 internally. This version mismatch could cause issues if aws-sdk attempts to use uuid features that have changed. Additionally, uuid v12+ removed CommonJS support, which aws-sdk (a CommonJS package) may rely on.

Remediation: The package.json already includes an override for uuid ("uuid@<=14.0.0": "14.0.0"), but this forces all uuid instances to v14. Consider removing this override to let aws-sdk use its compatible uuid version, or verify that aws-sdk v2.1354.0 is compatible with uuid v14.

@octokit packages (multiple upgrades)

Where your code is affected:

• src/gh.js lines 9, 22, 35: Uses github.getOctokit() which internally uses @octokit/request

• The bundled code in dist/index.js includes agent configuration code

Impact:

1. All @octokit packages now require Node.js 18+ (the action uses node24, so this is satisfied)

2. @octokit/request v8.0.0 removed the ability to pass custom request options except for method, headers, body, signal, data. The code in dist/index.js shows agent configuration being passed to requests, which may no longer be supported.

3. @octokit/endpoint and @octokit/request v8+ replaced Node.js http(s) Agents with fetch dispatchers.

Remediation: Review the bundled dist/index.js to ensure no custom request options (like agent) are being passed to Octokit requests. If proxy support is needed, migrate from Node.js Agents to fetch dispatchers as documented in the @octokit packages.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading uuid from version 8.3.2 to 14.0.0 (CHANGELOG)

Version	Description
9.0.0	Drop Node.js 10.x support
9.0.0	Remove the minified UMD build from the package
9.0.0	Drop IE 11 and Safari 10 support, remove msCrypto fallback, and no longer transpile browser build to ES2015
10.0.0	Drop Node.js 12 and 14 support, add Node.js 20 (only support node 16-20)
11.0.0	Refactor v1 internal state and options logic
11.0.0	Refactor v7 internal state and options logic
11.0.0	Port to TypeScript
12.0.0	Drop Node.js 16 support
12.0.0	Remove CommonJS support
12.0.0	Update to TypeScript 5.2
13.0.0	Make browser exports the default
14.0.0	crypto is now expected to be globally defined (requires node@20+)
14.0.0	Drop Node.js 18 support
14.0.0	Upgrade minimum supported TypeScript version to 5.4.3
14.0.0	v3(), v5(), and v6() now throw a RangeError if offset < 0 or offset + 16 > buf.length

✅ 8 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
GHSA-w5hq-g745-h8pq	MEDIUM	[uuid] v3, v5, and v6 UUID functions silently perform partial writes when provided with out-of-range buffer offsets, unlike v4/v1/v7 which properly throw RangeError, potentially producing malformed identifiers without error.
AIKIDO-2025-10094	LOW	[@octokit/endpoint] Improper header parsing for GraphQL endpoints allows attackers to craft malicious inputs triggering ReDoS through excessive regex backtracking, causing denial of service and performance degradation.
CVE-2025-25288	LOW	[@octokit/plugin-paginate-rest] A ReDoS (Regular Expression Denial of Service) vulnerability exists in the pagination iterator when processing malicious link headers, allowing attackers to cause denial of service through specially crafted requests.
CVE-2025-25290	LOW	[@octokit/request] A ReDoS vulnerability in the link header parsing regex allows attackers to cause excessive CPU usage and service unavailability through specially crafted HTTP responses. The unbounded regex pattern is susceptible to catastrophic backtracking when processing malicious input.
CVE-2025-25289	LOW	[@octokit/request-error] A Regular Expression Denial of Service (ReDoS) vulnerability in HTTP header processing allows attackers to cause excessive resource consumption and DoS by sending malformed authorization headers with long space sequences. This can significantly degrade performance or crash services.

[aikido-pr-checks]

4 Open source vulnerabilities detected - critical severity
Aikido detected 4 vulnerabilities across 1 package, it includes 1 critical and 3 high vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info