[Aikido] Fix security issue in lodash-es via minor version upgrade from 4.17.21 to 4.18.1 in client

[aikido-autofix]

Upgrade lodash-es to patch critical RCE vulnerability in _.template via options.imports injection and medium prototype pollution issues in _.unset and _.omit functions.

⚠️ Breaking changes in this upgrade

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.

✅ 3 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash-es] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash-es] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash-es] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.

🤖 Remediation details

Fix security vulnerabilities in lodash and lodash-es transitive dependencies

Short summary

This PR remediates security vulnerabilities in two transitive dependencies — lodash and lodash-es — present in client/package-lock.json. Neither package is a direct dependency in client/package.json; both are resolved transitively by multiple upstream packages. The fixes are lockfile-only for lodash (resolved via npm update) and lockfile + override for lodash-es (requiring an overrides entry in client/package.json due to exact-version pinning by CKEditor sub-packages).

lodash

lodash was resolved at 4.17.23 in the lockfile, below the patched floor of 4.18.0 / 4.18.1. All parents that pull in lodash (react-big-calendar, react-color, reactcss, semantic-ui-react, @uppy/core, @uppy/dashboard, @uppy/utils, recharts, @testing-library/jest-dom, whatwg-url) declare it with caret ranges (^4.17.x or ^4.7.0) that are semver-compatible with 4.18.1, so the lockfile was stale rather than structurally blocked. Running npm update lodash --package-lock-only from the client/ directory refreshed the single hoisted instance to 4.18.1 without any manifest changes.

lodash-es

lodash-es was resolved at 4.17.21 in the lockfile, below the patched floor of 4.18.1. While non-CKEditor parents (react-big-calendar, react-color, semantic-ui-react) already declared compatible caret ranges, the CKEditor sub-packages (@ckeditor/ckeditor5-clipboard, @ckeditor/ckeditor5-core, @ckeditor/ckeditor5-engine, and many others at versions 40.x and 41.x) pin lodash-es exactly at "4.17.21", preventing a lockfile-only resolution. The predefined build @ckeditor/ckeditor5-build-multi-root only exists up to 44.x, so no parent bump within the available version range could unblock the exact pin. A targeted selector-style override "lodash-es@<4.18.1": "4.18.1" was added to the overrides block in client/package.json, and npm install --package-lock-only resolved the single hoisted instance to 4.18.1.

Version changes

Package	From	To	Why updated
lodash	4.17.23	4.18.1	Direct CVE fix — lockfile refresh via npm update (all parents allow ^4.18.x)
lodash-es	4.17.21	4.18.1	Direct CVE fix — override "lodash-es@<4.18.1": "4.18.1" added to client/package.json; CKEditor sub-packages exact-pin 4.17.21 making lockfile-only resolution impossible