[Aikido] Fix security issue in glob via minor version upgrade from 10.4.5 to 10.5.0

[aikido-autofix]

Upgrade glob to fix critical vulnerabilities: prototype pollution via JSON deserialization, arbitrary code injection in template imports, proxy bypass/SSRF via hostname normalization, and RCE via protobuf type field injection.

⚠️ Breaking changes analysis not available for: glob

✅ 22 CVEs resolved by this upgrade, including 4 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-23736	🚨 CRITICAL	[seroval] Improper input validation in JSON deserialization allows malicious object keys to cause prototype pollution, enabling attackers to modify object prototypes and potentially execute arbitrary code or manipulate application behavior.
CVE-2026-23737	HIGH	[seroval] Improper input handling in JSON deserialization allows arbitrary JavaScript code execution through constant value and error deserialization overrides. Attackers can exploit fromJSON and fromCrossJSON functions via multiple requests to achieve RCE in client-to-server scenarios.
CVE-2026-23957	HIGH	[seroval] A denial of service vulnerability exists where attackers can override encoded array lengths with excessively large values, causing the deserialization process to consume significant processing time and resources.
CVE-2026-24006	HIGH	[seroval] A stack overflow vulnerability occurs when serializing deeply nested objects, causing denial of service. The vulnerability is mitigated by introducing a configurable depth limit parameter that throws an error when exceeded.
CVE-2026-23956	MEDIUM	[seroval] Unsafe RegExp deserialization allows attackers to cause memory exhaustion or trigger ReDoS attacks through malicious regex patterns, leading to denial of service.
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2025-62718	🚨 CRITICAL	[axios] Improper hostname normalization in NO_PROXY rule checking allows requests to loopback addresses (localhost., [::1]) to bypass proxy protections, enabling proxy bypass and potential SSRF attacks against internal services. This vulnerability permits attackers to reach sensitive services despite configured NO_PROXY protections.
CVE-2026-40175	HIGH	[axios] A prototype pollution vulnerability in Axios can be exploited through gadget chains to escalate into Remote Code Execution (RCE) or bypass AWS IMDSv2 for cloud compromise. This affects any third-party dependencies using the library.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2026-39865	MEDIUM	[axios] A state corruption bug in HTTP/2 session cleanup allows a malicious server to crash the client process through concurrent session closures via improper control flow in session removal logic.
CVE-2026-41242	🚨 CRITICAL	[protobufjs] Arbitrary code injection vulnerability in protobuf type fields allows attackers to execute malicious code during object decoding. This enables remote code execution (RCE) when processing untrusted protobuf definitions.
AIKIDO-2026-10467	MEDIUM	[protobufjs] Prototype pollution vulnerability in message initialization allows attackers to inject malicious properties via the proto field, enabling prototype chain manipulation and unintended property injection across the application.
CVE-2026-3304	HIGH	[multer] A vulnerability allows attackers to trigger Denial of Service (DoS) attacks by sending malformed multipart/form-data requests, causing resource exhaustion. This impacts availability by potentially crashing or degrading the application's performance.
CVE-2026-2359	HIGH	[multer] A vulnerability allows attackers to trigger a Denial of Service by dropping connections during file uploads, causing resource exhaustion. This impacts server availability and resource management.
CVE-2026-3520	HIGH	[multer] A vulnerability allows attackers to trigger a Denial of Service (DoS) attack by sending malformed multipart/form-data requests, potentially causing stack overflow and application crashes.
CVE-2025-64756	HIGH	[glob] A command injection vulnerability in the CLI's -c/--cmd option allows arbitrary code execution when processing files with malicious names, as matched filenames are passed to a shell with shell metacharacters interpreted.
CVE-2026-24001	HIGH	[diff] The parsePatch and applyPatch methods are vulnerable to denial-of-service attacks when processing patches with specific line break characters (\r, \u2028, \u2029) in filename or patch headers, causing infinite loops and memory exhaustion or ReDoS attacks.
CVE-2026-2391	HIGH	[qs] Comma-separated value parsing bypasses arrayLimit enforcement when comma: true is enabled, allowing attackers to create arbitrarily large arrays from a single parameter and cause denial-of-service through memory exhaustion.
CVE-2025-15284	MEDIUM	[qs] Improper input validation in array parsing allows the arrayLimit option to be bypassed when using bracket notation, enabling potential HTTP DoS attacks when parameterLimit is set to high values. The vulnerability inconsistently enforces arrayLimit only for indexed notation while ignoring it for bracket notation array syntax.
GHSA-r4q5-vmmm-2653	HIGH	[follow-redirects] Custom authentication headers (e.g., X-API-Key, X-Auth-Token) are leaked to redirect targets on cross-domain redirects because only standard headers are stripped. This enables attackers to capture sensitive credentials through malicious redirects.