security: override lodash to ^4.18.0 (VAST-1721)

Pins the transitive lodash dependency (pulled in by jest -> jsdom ->
whatwg-url) to the patched 4.18.x line to address GHSA-35jh-r3h4-6jhm /
CVE-2021-23337 follow-up: code injection via _.template options.imports
key names.

lodash is a dev-only transitive dependency; no runtime impact.

Addresses Dependabot alerts #65 and #67.

Author: thomasc-adyen