[Aikido] Fix 1 critical issue in minimist and 3 other issues

[aikido-autofix]

Upgrade minimist, ws, uuid, and lodash.set to fix prototype pollution, DoS, buffer overflow, and unsafe object manipulation vulnerabilities.

⚠️ Incomplete breaking changes analysis (2/4 analyzed)

⚠️ Breaking changes analysis not available for: minimist, lodash.set

✅ No breaking changes affect this codebase. The uuid package appears only as a transitive dependency in yarn.lock but is not directly imported or used anywhere in the source code. All searches for uuid imports (CommonJS and ES modules), deep imports (uuid/v*), and function calls returned no matches.

All breaking changes by upgrading uuid from version 3.0.0 to 11.1.1 (CHANGELOG)

Version	Description
7.0.0	The default export, which used to be the v4() method, has been removed.
7.0.0	Builtin support for insecure random number generators in the browser has been removed.
7.0.0	Support for generating v3 and v5 UUIDs in Node.js<4.x has been removed.
7.0.0	Deep imports of the different uuid version functions are deprecated and emit a deprecation warning.
8.0.0	For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.
8.0.0	Deep requiring specific algorithms like require('uuid/v4') is no longer supported.
8.2.0	Deprecated v4 string parameter has been removed.
9.0.0	Node.js 10.x support has been dropped.
9.0.0	The minified UMD build has been removed from the package.
9.0.0	IE 11 and Safari 10 support has been dropped, along with msCrypto fallback.
10.0.0	Node.js 12 and 14 support has been dropped (only node 16-20 supported).
11.0.0	v1 internal state and options logic has been refactored.
11.0.0	v7 internal state and options logic has been refactored.

✅ 4 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2021-44906	🚨 CRITICAL	[minimist] <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2024-37890	HIGH	[ws] A request with headers exceeding the server.maxHeadersCount threshold can crash a ws server, causing a denial of service. This vulnerability allows attackers to trigger server crashes through malformed HTTP requests.
CVE-2026-41907	HIGH	[uuid] A buffer overflow vulnerability allows v3, v5, and v6 UUID functions to write beyond caller-provided buffer boundaries when given small buffers or large offsets, causing silent data corruption. This can lead to memory corruption and potential code execution or information disclosure.
CVE-2020-8203	HIGH	[lodash.set] Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

🔗 Related Tasks

• https://centreon.atlassian.net/browse/CXM-317

🤖 Remediation details

Fix security vulnerabilities in minimist, ws, uuid, and lodash.set

Short summary

This PR remediates four vulnerable packages — minimist, ws, uuid, and lodash.set — across the root package.json and yarn.lock. Direct dependency declarations were updated for ws and lodash; parent dependencies puppeteer and conventional-changelog-cli were bumped to admit patched transitive versions; resolutions entries were added for uuid and the puppeteer-pinned ws; and the abandoned lodash.set package was replaced entirely with the actively-maintained lodash package, with a corresponding source change in shared/localization/swap-locale.js.

minimist

minimist is a transitive dependency pulled in by several packages (handlebars, json5, rc, tsconfig-paths). All parent ranges already admitted a patched version (≥1.2.6), so the fix was a lockfile-only selector refresh — no manifest change was required. The grouped lockfile entry minimist@^1.2.0, minimist@^1.2.5 was refreshed, resolving from 1.2.5 to 1.2.8.

ws

ws appears in four lockfile entries spanning majors 6, 7, and 8. The root direct dependency was tightened from ^7.0.0 to ^7.5.10 to set a patched semver floor for the v7 range. puppeteer was bumped from ^10.2.0 to ^11.0.0 because puppeteer v10 pinned ws at the exact version 8.2.3 (below the v8 patched floor of 8.17.1), making a range refresh impossible without a parent bump; a resolutions entry "puppeteer/ws": "^8.17.1" was also added to override that exact pin. The remaining stale selectors (ws@^6.1.0, ws@^7.3.1, ws@^7.4.5, ws@>=7.4.6) were refreshed via yarn upgrade since their ranges already permitted patched versions.

uuid

All three lockfile instances of uuid (2.0.3, 3.0.0, 3.3.2) trace back to raven and request, both of which are deprecated and have no published version that declares uuid ≥11. No parent-chain fix was possible, so a resolutions entry "uuid": "^11.1.1" was added as a last resort. conventional-changelog-cli was also bumped from ^1.3.4 to ^4.0.0 because v1 depended on tempfile@^1.1.1, which in turn required old uuid; v4 drops that dependency entirely. All three uuid lockfile entries consolidated into a single resolved version of 11.1.1.

lodash.set

lodash.set is a direct dependency used in shared/localization/swap-locale.js. The package was last published in 2016 at version 4.3.2 and has never been updated; there is no patched version available on npm, which is why Trivy reports "FixedVersion not reported." The package was removed and replaced with a direct dependency on lodash@^4.17.20 (the patched version for this CVE), which was already present in the lockfile transitively at 4.17.21. The co-located require('lodash.get') call in the same file was migrated to lodash/get at the same time, and lodash.get (deprecated upstream) was removed from package.json. The source file was updated to use require('lodash/set') and require('lodash/get').

Version changes

Package	From	To	Why updated
minimist	1.2.5	1.2.8	Direct CVE fix — lockfile selector refresh, ranges already permissive
ws (v6 selector)	6.2.1	6.2.4	Direct CVE fix — lockfile selector refresh (ws@^6.1.0)
ws (v7 selectors)	7.4.6 / 7.5.3	7.5.11	Direct CVE fix — manifest bump (^7.0.0 → ^7.5.10) + selector refresh
ws (v8 selectors)	8.2.0 / 8.2.3	8.21.0	Direct CVE fix — lockfile refresh + puppeteer/ws resolution override
uuid	2.0.3 / 3.0.0 / 3.3.2	11.1.1	Direct CVE fix — resolutions override (no parent-chain fix possible)
lodash.set	4.3.2	removed	Direct CVE fix — abandoned package replaced by lodash
lodash.get	4.4.2	removed	Deprecated package removed alongside lodash.set replacement
lodash	transitive 4.17.21	direct 4.18.1	Replacement for lodash.set / lodash.get; declared as ^4.17.20
puppeteer	^10.2.0 → 10.4.0	^11.0.0 → 11.0.0	Parent bump required to unpin ws@8.2.3 exact pin (CVE fix for ws)
conventional-changelog-cli	^1.3.4 → 1.3.4	^4.0.0 → 4.1.0	Parent bump to drop tempfile → old uuid dependency chain

[github-actions]

YARN is no longer allowed. Kindly replace the lockfile using PNPM. Found in ./lighthouse-logger/yarn.lock
YARN is no longer allowed. Kindly replace the lockfile using PNPM. Found in ./lighthouse-core/scripts/legacy-javascript/yarn.lock
YARN is no longer allowed. Kindly replace the lockfile using PNPM. Found in ./yarn.lock

[aikido-pr-checks]

CVE-2026-4800 in lodash - critical severity
Impact:

The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Details

Remediation Aikido suggests bumping this package to version 4.18.0 to resolve this issue

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info