[Aikido] Fix security issue in axios via minor version upgrade from 1.15.1 to 1.16.1

[aikido-autofix]

Upgrade axios to fix confidentiality breach in HTTPS proxy handling, enforce response size limits in fetch adapter, prevent prototype pollution in form data parsing, and fix regex DoS in cookie parsing.

✅ Code not affected by breaking changes.

✅ No breaking changes from the axios upgrade affect this codebase.

The codebase uses axios in three locations:

• packages/constructs/header-change-detection/lib/lambda/header-check.ts - uses axios.get() with validateStatus option

• packages/constructs/prerender-proxy/lib/handlers/error-response.ts - uses axios.create() with timeout, maxRedirects, validateStatus, and httpsAgent options

• packages/constructs/prerender-fargate/lib/recaching/prerender-recache-api-construct.consumer.ts - uses axios.get() with headers and validateStatus options

None of the breaking changes apply:

1. Fetch adapter limits: No custom adapter is configured, and maxBodyLength/maxContentLength are not set anywhere

2. Basic auth in URLs: No URLs with embedded credentials (format user:pass@host) were found

3. parseProtocol: This internal function is not used directly in the codebase

4. URL encoding changes: No evidence of reliance on legacy unescape() behavior or non-ASCII URL handling

All breaking changes by upgrading axios from version 1.15.1 to 1.16.1 (CHANGELOG)

Version	Description
1.16.0	Fetch adapter now enforces maxBodyLength and maxContentLength limits that were previously silently ignored
1.16.0	Basic auth credentials embedded in URLs are now URL-decoded before being sent
1.16.0	parseProtocol now strictly requires a colon in the protocol separator; strings that loosely parsed as protocols before may no longer match
1.16.0	Deprecated unescape() replaced with modern UTF-8 encoding; non-ASCII URL handling may produce different output bytes for consumers depending on legacy unescape() quirks

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-10823	HIGH	[axios] HTTP adapter incorrectly routes HTTPS traffic through HTTP proxies in cleartext instead of using CONNECT tunnels, allowing proxies to observe sensitive request metadata and payloads that should be encrypted.
AIKIDO-2026-10820	MEDIUM	[axios] Request size limits were not enforced in the fetch adapter, allowing responses and bodies to exceed configured limits, potentially causing denial of service or memory exhaustion. The vulnerability has been fixed to properly reject oversized responses and bodies.
AIKIDO-2026-10822	LOW	[axios] A prototype pollution vulnerability in the formDataToJSON helper allows attackers to pollute Object.prototype through specially crafted multipart field names, potentially enabling remote code execution or other malicious actions.
AIKIDO-2026-10819	LOW	[axios] A regular expression vulnerability in browser cookie parsing allowed metacharacters in cookie names to cause incorrect matching or excessive CPU consumption. The vulnerability was fixed by switching to literal string comparison instead of regex-based matching.