[Aikido] Fix 4 security issues in lodash, picomatch

[aikido-autofix]

Upgrade lodash and picomatch to fix critical RCE vulnerability in template compilation via prototype pollution and unsafe imports, plus medium ReDoS and integrity issues in glob matching.

✅ Code not affected by breaking changes.

✅ No breaking changes from the lodash upgrade affect this codebase.

The codebase uses _.template() in gcp-test/tint.js:113, but it does not pass an imports option, so the breaking change regarding forbidden identifier characters in imports does not apply.

The methods _.unset() and _.omit() are not used anywhere in the codebase, so the breaking change blocking constructor and prototype path keys does not apply.

All breaking changes by upgrading lodash from version 4.17.23 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 4 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-33672	MEDIUM	[picomatch] A method injection vulnerability in POSIX bracket expressions allows specially crafted patterns to reference inherited methods, causing incorrect glob matching behavior that could bypass security-relevant filtering or validation logic. This integrity issue affects applications relying on glob patterns for access control.
CVE-2026-33671	LOW	[picomatch] Regular Expression Denial of Service (ReDoS) vulnerability in extglob pattern processing causes catastrophic backtracking on crafted patterns, allowing attackers to consume excessive CPU and block the event loop when untrusted glob patterns are compiled or matched.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-11612
• https://aikido.atlassian.net/browse/AIK-11939