[Aikido] Fix 14 security issues in lodash-es, lodash, pdfmake and 5 more

[aikido-autofix]

Upgrade dependencies to fix RCE vulnerability in lodash template injection via options.imports, prototype pollution in .unset/.omit, SSRF in pdfmake URL loading, and prototype pollution in baseui. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (6/8 analyzed)

⚠️ Breaking changes analysis not available for: baseui, minimatch

⚠️ pdfmake (0.1.72 => 0.3.6)

• Where your code is affected: src/components/data-grid/export/exportPdf.ts:36

• Impact: The code accesses pdfMake.vfs and pdfFonts.pdfMake.vfs directly, which is affected by the breaking change "Change including virtual font storage in client-side". Additionally, the interface unification and promise-based API changes may affect how the module is imported and used.

• Remediation: Update the font storage access pattern according to pdfmake 0.3.x documentation and verify the import paths and method signatures are compatible with the new unified interface.

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.0 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.0 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading pdfmake from version 0.1.72 to 0.3.6 (CHANGELOG)

Version	Description
0.3.0	Unify interface for node and browser
0.3.0	All methods return promise instead of using callback
0.3.0	Change including virtual font storage in client-side
0.3.0	Change parameters of pageBreakBefore function

All breaking changes by upgrading d3-color from version 2.0.0 to 3.1.0 (CHANGELOG)

Version	Description
3.0.0	Now requires Node.js 12 or higher

✅ 11 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	HIGH	[lodash-es] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2026-2950	MEDIUM	[lodash-es] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2025-13465	MEDIUM	[lodash-es] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
AIKIDO-2026-10337	MEDIUM	[pdfmake] A vulnerability allows loading external resources from arbitrary URLs during PDF generation, enabling server-side request forgery (SSRF) attacks if user-controlled input constructs document definitions. An attacker could exploit this to access internal services or restricted resources through unauthorized outbound requests.
AIKIDO-2024-10523	MEDIUM	[react-hook-form] Prototype pollution vulnerability allows attackers to manipulate object prototypes via prototype and constructor properties, potentially leading to unintended behavior, security breaches, or further exploitation.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
GHSA-36jr-mh4h-2g58	LOW	[d3-color] The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.
CVE-2025-5889	LOW	[brace-expansion] A regular expression complexity vulnerability in the expand function allows remote attackers to cause denial of service through inefficient regex processing, though exploitation is difficult and requires high attack complexity.