[Aikido] Fix 6 security issues in lodash, diff, picomatch

[aikido-autofix]

Upgrade lodash, diff, and picomatch to fix critical remote code execution vulnerabilities in template compilation and prototype pollution attacks.

✅ Code not affected by breaking changes.

✅ No breaking changes from lodash 4.18.0 affect this codebase.

The codebase uses _.template() in aws-test/tint.js (line 115), but it does not pass an imports option to the method - it only configures _.templateSettings.interpolate and calls _.template(templateSrc) with a single argument. The breaking change regarding imports validation does not apply.

The methods _.unset() and _.omit() are not used anywhere in the codebase.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.0 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 6 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-24001	MEDIUM	[diff] The parsePatch and applyPatch methods are vulnerable to denial-of-service attacks when processing patches with specific line break characters (\r, \u2028, \u2029) in filename or patch headers, causing infinite loops and memory exhaustion or ReDoS attacks.
CVE-2026-33672	MEDIUM	[picomatch] A method injection vulnerability in POSIX bracket expressions allows specially crafted patterns to reference inherited methods, causing incorrect glob matching behavior that could bypass security-relevant filtering or validation logic. This integrity issue affects applications relying on glob patterns for access control.
CVE-2026-33671	LOW	[picomatch] Regular Expression Denial of Service (ReDoS) vulnerability in extglob pattern processing causes catastrophic backtracking on crafted patterns, allowing attackers to consume excessive CPU and block the event loop when untrusted glob patterns are compiled or matched.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-11613
• https://aikido.atlassian.net/browse/AIK-11857