[Aikido] Fix 7 security issues in net-imap, nokogiri, psych

[aikido-autofix]

Upgrade net-imap, nokogiri, and psych to fix CRLF injection, command injection, memory leak, and canonicalization validation vulnerabilities.

✅ 7 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-47240	LOW	[net-imap] IMAP command injection vulnerability where non-synchronizing literals in raw data arguments can be interpreted as new commands on servers lacking LITERAL+/LITERAL-/IMAP4rev2 support, enabling arbitrary IMAP command execution. Affects search, sort, thread, and fetch commands when processing unvalidated user input.
CVE-2026-47242	LOW	[net-imap] The #id and #enable commands fail to validate arguments, allowing attackers to inject arbitrary IMAP commands via CRLF sequences. This could enable command injection attacks when untrusted input is passed to these methods, potentially leading to unauthorized mailbox operations.
CVE-2026-47241	LOW	[net-imap] A regex validation bypass in IMAP commands allows attackers to inject literal-continuation markers (e.g., {0}) that cause command absorption and connection hangs, resulting in denial of service. The vulnerability affects search, sort, thread, and fetch commands when processing user-controlled input.
GHSA-v2fc-qm4h-8hqv	LOW	[nokogiri] XSLT transform leaks small heap allocations when passed Ruby strings containing null bytes, potentially enabling denial of service attacks on long-running processes through sustained attacker-controlled input. Memory corruption and information disclosure do not occur.
GHSA-wx95-c6cv-8532	LOW	[nokogiri] Canonicalization failure in canonicalize methods returns empty string instead of raising an exception, allowing downstream libraries to accept invalid XML and bypass signature validation in SAML implementations.
GHSA-c4rq-3m3g-8wgx	LOW	[nokogiri] CSS selector tokenizer contains regular expressions vulnerable to ReDoS attacks on adversarial selectors, allowing attackers to cause exponential regex backtracking and denial of service through CSS parsing methods.
AIKIDO-2026-11069	LOW	[psych] A heap out-of-bounds write vulnerability exists in the YAML parser's IO reader callback, which fails to validate the length of data returned by IO#read operations. This allows attackers to trigger a buffer overflow and achieve remote code execution through Psych.load, Psych.safe_load, or Psych.parse.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-14879

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #301