[Aikido] Fix 16 security issues in h3, @astrojs/node, devalue and 4 more

[aikido-autofix]

Upgrade dependencies to fix critical SSE injection in H3 and multiple high-severity vulnerabilities in Astro: SSRF, memory exhaustion DoS, and unauthorized remote image fetching.

⚠️ Incomplete breaking changes analysis (5/7 analyzed)

⚠️ Breaking changes analysis not available for: h3, devalue

✅ No breaking changes from either package upgrade affect this codebase:

h3 (1.15.5 => 1.15.9):

• The codebase doesn't use Server-Sent Events (SSE), so the SSE sanitization changes don't apply

• The codebase doesn't directly use h3's static file serving or path handling functions, so the path traversal fixes don't affect it

• h3 is only a transitive dependency through @astrojs/node and unstorage, with no direct usage

@astrojs/node (9.3.3 => 10.0.0):

• The experimentalErrorPageHost option is not configured in frontend/astro.config.ts (only mode: "standalone" is set)

• The allowedDomains option is not configured, and the codebase doesn't rely on X-Forwarded-Proto header handling in the Astro adapter (CSRF handling is done in the Django backend)

The upgrade can proceed safely.

All breaking changes by upgrading @astrojs/node from version 9.3.3 to 10.0.0 (CHANGELOG)

Version	Description
10.0.0	Removes the experimentalErrorPageHost option - this option for fetching prerendered error pages from a different host has been removed due to security implications and must be deleted from adapter configuration
10.0.0	Restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured - this changes the behavior of CSRF origin checking and may affect deployments that previously relied on X-Forwarded-Proto without configuring allowedDomains

✅ 16 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33128	🚨 CRITICAL	[h3] createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization, allowing attackers who control SSE message fields to inject arbitrary events to connected clients.
GHSA-4hxc-9384-m385	MEDIUM	[h3] The EventStream class fails to sanitize carriage return (\r) characters in data and comment fields, allowing attackers to inject arbitrary SSE events, spoof event types, and split single push() calls into multiple browser-parsed events. This bypasses a prior fix that only addressed newline (\n) injection.
CVE-2026-25545	HIGH	[@astrojs/node] Server-Side Rendered pages with prerendered custom error pages are vulnerable to SSRF attacks via Host header manipulation, allowing attackers to fetch internal URLs and cloud metadata. An attacker with direct server access can redirect requests to internal services and read response bodies.
CVE-2026-27729	HIGH	[@astrojs/node] Astro server actions lack default request body size limits, allowing unauthenticated attackers to send oversized POST requests that exhaust server memory and cause denial of service crashes on SSR deployments.
CVE-2026-29772	HIGH	[@astrojs/node] Unbounded JSON parsing in Server Islands POST handler allows memory exhaustion via crafted payloads with ~15x amplification, enabling unauthenticated DoS attacks on all Astro SSR apps with Node adapter.
CVE-2026-27829	HIGH	[@astrojs/node] A bug in the image pipeline allows bypassing image.domains/image.remotePatterns restrictions when inferSize is enabled, enabling server-side requests to unauthorized hosts including internal services (SSRF vulnerability). Attackers can exploit this by controlling image URLs to fetch from arbitrary domains.
CVE-2025-55207	MEDIUM	[@astrojs/node] An Open Redirect vulnerability exists in the Node deployment adapter when standalone mode is enabled with trailingSlash set to "always", allowing attackers to craft malicious links that redirect users to external sites, enabling phishing attacks and credential theft.
CVE-2026-30226	HIGH	[devalue] Prototype pollution vulnerability in parse and unflatten functions allows attackers to cause Denial of Service or type confusion through maliciously crafted payloads.
GHSA-mwv9-gp5h-frr4	LOW	[devalue] The parsing functions can emit objects with __proto__ own properties, enabling prototype pollution attacks when downstream code uses unsafe operations like Object.assign to merge the parsed result, potentially allowing arbitrary code execution or property manipulation.
GHSA-8qm3-746x-r74r	LOW	[devalue] Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.
GHSA-33hq-fvwr-56pm	LOW	[devalue] Serializing sparse arrays via uneval or stringify can cause CPU and memory exhaustion, leading to denial of service on affected servers. Exploitation is impractical as it requires attackers to create sparse arrays on the server through unsupported wire formats.
CVE-2026-27901	MEDIUM	[svelte] Improper escaping of bind:innerText and bind:textContent on contenteditable elements allows HTML injection and Cross-Site Scripting (XSS) attacks when rendering untrusted data as initial binding values on the server.
CVE-2026-27902	MEDIUM	[svelte] Errors from transformError are not properly escaped before being embedded in HTML output, allowing HTML injection and XSS attacks if attacker-controlled content is returned from the function.
CVE-2026-33672	MEDIUM	[picomatch] A method injection vulnerability in POSIX bracket expressions allows specially crafted patterns to reference inherited methods, causing incorrect glob matching behavior that could bypass security-relevant filtering or validation logic. This integrity issue affects applications relying on glob patterns for access control.
GHSA-v3rj-xjv7-4jmq	MEDIUM	[smol-toml] A stack overflow vulnerability allows attackers to crash the parser by sending TOML with thousands of consecutive commented lines, exploiting recursive parsing logic. This causes denial of service for applications processing untrusted TOML documents.
CVE-2026-33769	MEDIUM	[astro] Path matching logic for remote URL patterns is unanchored, allowing attackers to bypass remotePatterns restrictions and fetch unauthorized paths on allowlisted hosts through server-side fetchers like image optimization.

[252afh]

Closed to generate a new one