[Aikido] Fix 8 security issues in node-forge, @isaacs/brace-expansion, minimatch

[aikido-autofix]

Upgrade node-forge to fix certificate chain validation bypass, signature forgery, DoS attacks, and Ed25519 malleability; upgrade @isaacs/brace-expansion to fix exponential expansion DoS.

⚠️ Incomplete breaking changes analysis (2/3 analyzed)

⚠️ Breaking changes analysis not available for: @isaacs/brace-expansion

✅ The node-forge upgrade from 1.3.2 to 1.4.0 does not introduce breaking changes that affect this codebase.

The codebase uses node-forge in packages/safe-chain/src/registryProxy/certUtils.js for:

• Generating RSA key pairs (forge.pki.rsa.generateKeyPair)

• Creating and signing certificates (cert.sign())

• Converting certificates and keys to/from PEM format

• Setting certificate extensions including basicConstraints

None of the breaking changes in version 1.4.0 affect this usage:

• BigInteger.modInverse(): Not used in the codebase

• RSA PKCS#1 v1.5 signature verification: The code only signs certificates, it does not verify signatures

• Ed25519 signature verification: Not used in the codebase

• pki.verifyCertificateChain(): Not used in the codebase

The code generates certificates with proper basicConstraints extension (already present in generateCa() function), so the stricter validation in certificate chain verification would not cause issues even if that function were used.

All breaking changes by upgrading node-forge from version 1.3.2 to 1.4.0 (CHANGELOG)

Version	Description
1.4.0	BigInteger.modInverse() now exits early with zero when the target object value is <= 0, instead of entering an infinite loop
1.4.0	RSA PKCS#1 v1.5 signature verification now rejects signatures that lack the required minimum of 8 bytes of padding
1.4.0	RSA signature verification now rejects forged signatures with extra fields in the ASN.1 DigestInfo structure (requires sequence length of two)
1.4.0	Ed25519 signature verification now rejects non-canonical signatures where scalar S >= L (group order)
1.4.0	pki.verifyCertificateChain() now rejects certificate chains where intermediate certificates lack basicConstraints extension

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33896	HIGH	[node-forge] A vulnerability in certificate chain verification fails to enforce basicConstraints requirements when intermediate certificates lack specific extensions, allowing leaf certificates to act as CAs and sign other certificates that are incorrectly validated as legitimate.
CVE-2026-33891	MEDIUM	[node-forge] An infinite loop in the BigInteger.modInverse() function causes a Denial of Service when called with zero input, hanging the process and consuming 100% CPU due to an unreachable exit condition in the Extended Euclidean Algorithm.
CVE-2026-33894	MEDIUM	[node-forge] RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3) due to improper ASN structure validation and insufficient padding checks. This allows attackers to forge signatures via Bleichenbacher-style attacks, enabling authentication bypass.
CVE-2026-33895	MEDIUM	[node-forge] Ed25519 signature verification accepts forged non-canonical signatures with unreduced scalars, allowing signature malleability attacks that bypass authentication, authorization, and deduplication logic. This enables attackers to forge valid signatures that differ from canonical ones.
CVE-2026-25547	LOW	[@isaacs/brace-expansion] Unbounded brace range expansion causes denial of service through exponential expansion of repeated numeric ranges, consuming excessive CPU and memory and potentially crashing the process. An attacker can trigger this with a small malicious input pattern.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-11288
• https://aikido.atlassian.net/browse/AIK-12250