fix(deps): bump lodash to >=4.18.0 to address CVE-2026-4800

commitizen pins lodash at 4.17.21, which is vulnerable to code injection
via _.template imports key names. Add npm override to force all transitive
lodash to match the direct dependency range (^4.18.0).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: michaelphamcf

package-lock.json

@@ -99,7 +99,7 @@
     "in-publish": "^2.0.1",
     "jsonwebtoken": "^9.0.2",
     "lint-staged": "^16.3.3",
-    "lodash": "^4.17.20",
+    "lodash": "^4.18.0",
     "nodemon": "^3.1.2",
     "playwright": "^1.49.0",
     "prettier": "3.6.2",
@@ -167,6 +167,9 @@
       "@semantic-release/github"
     ]
   },
+  "overrides": {
+    "lodash": "$lodash"
+  },
   "size-limit": [
     {
       "path": "./dist/cjs/index.cjs",