fix(security): address Dependabot vulnerabilities

- Upgrade lodash 4.17.21 → 4.17.23 (fixes prototype pollution in _.unset/_.omit)
- Upgrade diff 8.0.2 → 8.0.3 (fixes DoS in parsePatch/applyPatch)
- Upgrade ai 5.0.0 → 5.0.52 (fixes file type whitelist bypass)
- Add @ai-sdk/provider and @ai-sdk/provider-utils overrides to fix version conflicts

Closes 11 Dependabot alerts (4 medium lodash, 4 low diff, 3 low ai)

Author: brandonkachen

bun.lock

@@ -26,9 +26,9 @@
     "@types/pg": "^8.11.10",
     "@types/readable-stream": "^4.0.18",
     "@types/seedrandom": "^3.0.8",
-    "ai": "^5.0.0",
+    "ai": "^5.0.52",
     "ignore": "5.3.2",
-    "lodash": "4.17.21",
+    "lodash": "4.17.23",
     "next-auth": "^4.24.11",
     "partial-json": "^0.1.7",
     "pg": "^8.14.1",

common/package.json

@@ -43,7 +43,9 @@
   "overrides": {
     "baseline-browser-mapping": "^2.9.14",
     "zod": "^4.2.1",
-    "signal-exit": "3.0.7"
+    "signal-exit": "3.0.7",
+    "@ai-sdk/provider": "2.0.1",
+    "@ai-sdk/provider-utils": "3.0.20"
   },
   "devDependencies": {
     "@tanstack/react-query": "^5.90.12",
@@ -59,7 +61,7 @@
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-unused-imports": "^4.1.4",
     "ignore": "^6.0.2",
-    "lodash": "4.17.21",
+    "lodash": "4.17.23",
     "prettier": "^3.7.4",
     "ts-node": "^10.9.2",
     "ts-pattern": "^5.5.0",

package.json

@@ -61,8 +61,8 @@
     "@ai-sdk/anthropic": "2.0.50",
     "@jitl/quickjs-wasmfile-release-sync": "0.31.0",
     "@vscode/tree-sitter-wasm": "0.1.4",
-    "ai": "^5.0.0",
-    "diff": "8.0.2",
+    "ai": "^5.0.52",
+    "diff": "8.0.3",
     "ignore": "7.0.5",
     "micromatch": "^4.0.8",
     "web-tree-sitter": "0.25.6",