[Aikido] Fix 10 security issues in pdfmake, lodash, lodash-es and 5 more

[aikido-autofix]

Upgrade dependencies to fix SSRF in pdfmake, prototype pollution in lodash/lodash-es, and ReDoS vulnerabilities in minimatch and brace-expansion.

✅ 9 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-10337	MEDIUM	[pdfmake] A vulnerability allows loading external resources from arbitrary URLs during PDF generation, enabling server-side request forgery (SSRF) attacks if user-controlled input constructs document definitions. An attacker could exploit this to access internal services or restricted resources through unauthorized outbound requests.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
AIKIDO-2024-10523	MEDIUM	[react-hook-form] Prototype pollution vulnerability allows attackers to manipulate object prototypes via prototype and constructor properties, potentially leading to unintended behavior, security breaches, or further exploitation.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
GHSA-36jr-mh4h-2g58	LOW	[d3-color] The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value (e.g., {1..2..0}) causes an infinite loop that hangs the process for seconds and allocates excessive memory, resulting in a denial of service. Untrusted input strings passed to expand() are vulnerable to this attack with just 10 bytes of malicious input.
CVE-2025-5889	LOW	[brace-expansion] A regular expression complexity vulnerability in the expand function allows remote attackers to cause denial of service through inefficient regex processing, though exploitation is difficult and requires high attack complexity.