fix: update lodash to resolve CVE-2026 alerts

[dannyneira]

Summary

• Updates transitive lodash from 4.17.23 to 4.18.1 in package-lock.json.
• Resolves the lodash Dependabot alert batch:
  • https://github.com/warpdotdev/generate-changelog/security/dependabot/61
  • https://github.com/warpdotdev/generate-changelog/security/dependabot/62
• Rebuilds the checked-in dist/ bundle with npm run all.

Vulnerabilities

• CVE-2026-4800 / GHSA-r5fr-rjxr-66jc: lodash code injection via _.template imports key names
  • Advisory: GHSA-r5fr-rjxr-66jc
• CVE-2026-2950 / GHSA-f23m-r3pf-42rh: lodash prototype pollution via array path bypass in _.unset and _.omit
  • Advisory: GHSA-f23m-r3pf-42rh

Notes

• This is a transitive development dependency update.
• No overrides or resolutions were needed; the existing parent range allowed the patched lodash version.
• npm audit still reports unrelated existing vulnerabilities, but no longer reports lodash.

Verification

• npx --yes npm@8 ci --prefix /workspace/generate-changelog
• npx --yes npm@8 run all --prefix /workspace/generate-changelog
• git -C /workspace/generate-changelog --no-pager diff --check
• npx --yes npm@8 audit --json --prefix /workspace/generate-changelog | jq -r '.vulnerabilities | keys | if index("lodash") then "lodash_still_reported" else "lodash_not_reported" end' → lodash_not_reported

Conversation: https://staging.warp.dev/conversation/4a9a1994-546b-46c1-ab82-6d5a5c181bc8
Run: https://oz.staging.warp.dev/runs/019e40f7-32c1-7372-94dd-0ac5a8f003dc
This PR was generated with Oz.