[Aikido] Fix 5 security issues in json, puma, psych

[aikido-autofix]

Upgrade json, puma, and psych to fix heap buffer overflow, DoS, and IP spoofing vulnerabilities in JSON generation/parsing, PROXY protocol handling, and YAML parsing.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-10977	LOW	[json] A heap buffer overflow vulnerability exists in the native generator when computing output buffer capacity for repeated indent/spacing strings, potentially causing memory corruption. Additionally, an unchecked depth option can cause denial of service through excessive nesting work.
AIKIDO-2026-10978	LOW	[json] A use-after-free vulnerability in JSON parsing allows concurrent mutation of the source string during parsing through Ruby-level hooks, potentially causing memory corruption and parsed value divergence. The patch freezes or copies the source buffer to prevent modification during parsing.
CVE-2026-47736	LOW	[puma] PROXY protocol v1 support allows attackers to send continuous bytes without CRLF terminators, causing unbounded memory growth and CPU consumption that can lead to process OOM or denial of service through a single unauthenticated TCP connection.
CVE-2026-47737	LOW	[puma] Source IP spoofing vulnerability when PROXY protocol v1 is enabled with persistent connections; attackers can inject malicious PROXY headers between keep-alive requests to spoof REMOTE_ADDR, potentially bypassing security controls like rate limiting or access lists.
AIKIDO-2026-11069	LOW	[psych] A heap out-of-bounds write vulnerability exists in the YAML parser's IO reader callback, which fails to validate the length of data returned by IO#read operations. This allows attackers to trigger a buffer overflow and achieve remote code execution through Psych.load, Psych.safe_load, or Psych.parse.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-14623

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #300