[Aikido] Fix 9 security issues in lodash, undici

[aikido-autofix]

Upgrade lodash and undici to fix critical RCE via template injection and HTTP request smuggling vulnerabilities, plus high-severity WebSocket DoS attacks.

✅ Code not affected by breaking changes.

✅ No breaking changes affect this codebase. The search found no usages of _.unset(), _.omit(), or _.template() methods in the source code. While lodash is listed as a dependency in the lock file (used by various packages like Docusaurus, html-webpack-plugin, and pretty-error), the codebase itself does not directly use any of the methods affected by the breaking changes in lodash 4.18.1.

All breaking changes by upgrading lodash from version 4.17.23 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 9 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-1525	🚨 CRITICAL	[undici] Duplicate HTTP Content-Length headers with case-variant names are allowed, creating malformed requests that can cause denial of service or enable HTTP request smuggling attacks in inconsistent header interpretation scenarios.
CVE-2026-1526	HIGH	[undici] A malicious WebSocket server can send compressed frames that expand to extremely large sizes in memory without limits, causing denial-of-service through memory exhaustion and process crash. The vulnerability stems from unbounded decompression in the permessage-deflate extension without size validation.
CVE-2026-1528	HIGH	[undici] A server can send a WebSocket frame with an extremely large 64-bit length value, causing ByteParser integer overflow that results in a fatal TypeError and process termination (DoS).
CVE-2026-2229	HIGH	[undici] A malicious WebSocket server can crash the client process by sending an invalid server_max_window_bits parameter in the permessage-deflate extension, causing an uncaught RangeError when creating a zlib decompressor with an out-of-range value.
CVE-2026-2581	MEDIUM	[undici] An uncontrolled resource consumption vulnerability in the deduplication interceptor causes memory accumulation of response data for deduplicated requests, leading to potential Denial of Service through out-of-memory crashes when processing large responses from untrusted endpoints. The vulnerability is fixed by streaming response chunks instead of accumulating full bodies and preventing late deduplication after body streaming begins.
CVE-2026-1527	MEDIUM	[undici] HTTP request smuggling vulnerability allowing CRLF injection through the upgrade option, enabling arbitrary header injection and premature request termination to smuggle data to non-HTTP services.
AIKIDO-2026-10369	LOW	[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.

[github-actions]

PR Previews
🚀 Deployed preview to https://docs-preview-int.centreon.com/previews/pr-5311/staging/
🚀 Deployed preview to https://docs-preview-int.centreon.com/previews/pr-5311/next/
at Thu, 21 May 2026 01:07:41 GMT

NOTE: Previews are deleted after 30 days of inactivity