deps(npm): bump lodash from 4.17.21 to 4.18.1

[dependabot]

Bumps lodash from 4.17.21 to 4.18.1.

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: javascript. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

👋 Thanks for opening this PR, @dependabot[bot]!

Here's what will happen next:

• 🤖 Automated checks will run
• 🏷️ Labels will be added automatically
• 👀 A maintainer will review your changes

Please make sure:

• ✅ All tests pass
• 📝 The PR title follows conventional commits
• 📋 The PR template is filled out completely

[github-actions]

⚡ Benchmark Results

📈 Performance Comparison

📊 Click to expand detailed results

Current Branch Results

BenchmarkNewDocument-4    	1000000000	         0.3119 ns/op	       0 B/op	       0 allocs/op
BenchmarkBuildSimple-4    	 3655398	       329.8 ns/op	     240 B/op	       4 allocs/op
BenchmarkBuildComplex-4   	  422257	      2762 ns/op	    1809 B/op	      25 allocs/op
BenchmarkToJSON-4         	  541362	      2072 ns/op	     592 B/op	       3 allocs/op
BenchmarkParseDocument_Minimal-4    	  503968	      2310 ns/op	     568 B/op	      14 allocs/op
BenchmarkParseDocument_Receipt-4    	   94141	     12530 ns/op	    2392 B/op	      34 allocs/op
BenchmarkCommandUnmarshal_Text-4    	  421855	      2702 ns/op	     568 B/op	      19 allocs/op
BenchmarkCommandUnmarshal_Table-4   	  275143	      4181 ns/op	     944 B/op	      21 allocs/op
BenchmarkTextCommandParsing-4       	  532056	      2131 ns/op	     544 B/op	      16 allocs/op
BenchmarkTableCommandParsing-4      	  245802	      4785 ns/op	    1000 B/op	      29 allocs/op
BenchmarkParseHexString-4           	 7577804	       157.1 ns/op	      48 B/op	       2 allocs/op
BenchmarkCleanHexString-4           	 6477016	       183.9 ns/op	      64 B/op	       2 allocs/op
BenchmarkContainsSequence-4         	296152699	         4.116 ns/op	       0 B/op	       0 allocs/op
BenchmarkCheckCriticalCommands-4    	32825373	        37.03 ns/op	       0 B/op	       0 allocs/op
BenchmarkDocument_Validate-4       	14477092	        82.68 ns/op	       0 B/op	       0 allocs/op
BenchmarkParseDocument_Simple-4    	  496960	      2401 ns/op	     568 B/op	      14 allocs/op
BenchmarkParseDocument_Complex-4   	  138820	      8570 ns/op	    1352 B/op	      26 allocs/op
BenchmarkPrintImage_Small-4             	     616	   1947208 ns/op	 3469947 B/op	      24 allocs/op
BenchmarkPrintImage_Medium-4            	     325	   3755735 ns/op	 5481095 B/op	      24 allocs/op
BenchmarkPrintImage_ThermalPreview-4    	     138	   8527576 ns/op	 5231185 B/op	  230423 allocs/op

Base Branch Results

BenchmarkNewDocument-4    	1000000000	         0.3122 ns/op	       0 B/op	       0 allocs/op
BenchmarkBuildSimple-4    	 3668238	       327.8 ns/op	     240 B/op	       4 allocs/op
BenchmarkBuildComplex-4   	  425953	      2731 ns/op	    1809 B/op	      25 allocs/op
BenchmarkToJSON-4         	  539281	      2125 ns/op	     592 B/op	       3 allocs/op
BenchmarkParseDocument_Minimal-4    	  505501	      2313 ns/op	     568 B/op	      14 allocs/op
BenchmarkParseDocument_Receipt-4    	   93643	     12587 ns/op	    2392 B/op	      34 allocs/op
BenchmarkCommandUnmarshal_Text-4    	  413064	      2678 ns/op	     568 B/op	      19 allocs/op
BenchmarkCommandUnmarshal_Table-4   	  276442	      4152 ns/op	     944 B/op	      21 allocs/op
BenchmarkTextCommandParsing-4       	  537543	      2156 ns/op	     544 B/op	      16 allocs/op
BenchmarkTableCommandParsing-4      	  242077	      4851 ns/op	    1000 B/op	      29 allocs/op
BenchmarkParseHexString-4           	 7664474	       155.3 ns/op	      48 B/op	       2 allocs/op
BenchmarkCleanHexString-4           	 6482332	       184.2 ns/op	      64 B/op	       2 allocs/op
BenchmarkContainsSequence-4         	296245546	         4.072 ns/op	       0 B/op	       0 allocs/op
BenchmarkCheckCriticalCommands-4    	32537325	        37.03 ns/op	       0 B/op	       0 allocs/op
BenchmarkDocument_Validate-4       	14650880	        83.01 ns/op	       0 B/op	       0 allocs/op
BenchmarkParseDocument_Simple-4    	  502359	      2384 ns/op	     568 B/op	      14 allocs/op
BenchmarkParseDocument_Complex-4   	  139627	      8538 ns/op	    1352 B/op	      26 allocs/op
BenchmarkPrintImage_Small-4             	     622	   1915711 ns/op	 3469939 B/op	      24 allocs/op
BenchmarkPrintImage_Medium-4            	     321	   3644925 ns/op	 5481100 B/op	      24 allocs/op
BenchmarkPrintImage_ThermalPreview-4    	     141	   8594251 ns/op	 5231184 B/op	  230423 allocs/op

💡 Note: Use benchstat for statistical comparison

🎯 Summary

• Total Benchmarks: 32
• Average Speed: 2560772 ns/op
• Average Memory: 2396767 B/op
• Average Allocations: 41077 allocs/op