[Aikido] Fix 5 critical issues in thirdweb, wagmi, @changesets/parse and 4 more

[aikido-autofix]

Patches critical RCE vulnerabilities in React Native CLI, fixes cryptographic nonce reuse, and mitigates prototype pollution risks in dependencies.

✅ 4 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2025-10854	🚨 CRITICAL	Metro dev server in React Native CLI allows unauthenticated remote attackers to inject and execute arbitrary OS commands via crafted POST requests, with potential for full remote code execution, especially on Windows systems.
AIKIDO-2024-10466	MEDIUM	Signature algorithm vulnerability allows private key recovery by exploiting nonce reuse, enabling attackers to compromise cryptographic system security through repeated transaction signatures.
GHSA-qj3p-xc97-xw74	MEDIUM	A malicious debug package version could interfere with dApp-to-wallet communication when installed during a specific time window, potentially compromising browser-based MetaMask SDK applications through dependency injection.
AIKIDO-2025-10809	MEDIUM	Prototype Pollution vulnerability in YAML parsing allows attackers to inject malicious properties into object prototypes, potentially leading to remote code execution, DoS, or other security breaches through crafted input.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2795/major-upgrade-for-react-native-communitycli

---

PR-Codex overview

This PR focuses on updating the dependency versions and restructuring the package.json files across multiple packages to improve compatibility and maintainability.

Detailed summary

• Reformatted files array in package.json files for consistency.
• Updated wagmi version in packages/web3-react-agw/package.json from ^2.14.11 to ^2.17.1.
• Updated react-dom version in packages/agw-react/package.json from ^18 to ^18.
• Updated various dependencies across multiple package.json files to newer versions.
• Added new dependencies in package.json files, including specific versions for @changesets/parse, js-yaml, and react-native.
• Updated typescript version across multiple packages to >=5.0.4.
• Updated viem version in packages/agw-client from 2.33.3 to 2.44.4.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

⚠️ No Changeset found

Latest commit: a1ecc8a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

PR Summary

Security- and maintenance-focused dependency updates; no source files changed.

• Adds pnpm overrides to pin safe versions for react-native/metro/RN CLI, js-yaml, and @changesets/parse, plus other patched transitive deps
• Bumps dev deps: thirdweb (agw-react) to a nightly build and wagmi (web3-react-agw) to ^2.17.1
• Minor package.json formatting and files/typesVersions list normalization across packages

^{Written by Cursor Bugbot for commit a1ecc8a. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Nightly build version accidentally committed in devDependencies

Medium Severity

The thirdweb devDependency was changed from the stable version ^5.68.0 to a nightly build 5.72.0-nightly-393d0cfb504401d6449a75cbe8422946d157fc93-20241202000349. This appears to be a development artifact accidentally included in a security-focused PR. Nightly builds are unstable, can contain breaking changes, and create a mismatch with the declared peerDependency of ^5.68.0 that consumers will use. This could cause testing to miss compatibility issues.