fix: update vulnerable dependencies (lodash, serialize-javascript) (#989)

- Update direct lodash dependency: 4.17.23 → 4.18.0 (CVE-2026-4800, CVE-2026-2950)
- Add npm override for serialize-javascript: 6.0.2 → 7.0.5 (CVE-2026-34043, GHSA-5c6j-r48x-rmvq)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: chagong

package-lock.json

@@ -1296,10 +1296,13 @@
     "fmtr": "^1.1.4",
     "fs-extra": "^10.1.0",
     "globby": "^13.1.3",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.0",
     "minimatch": "^5.1.9",
     "semver": "^7.3.8",
     "vscode-extension-telemetry-wrapper": "^0.15.0",
     "vscode-tas-client": "^0.1.75"
+  },
+  "overrides": {
+    "serialize-javascript": ">=7.0.5"
   }
 }