chore(deps): update dependency lodash-es to v4.18.1 [security] (#1522)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
| [lodash-es](https://lodash.com/custom-builds)
([source](https://redirect.github.com/lodash/lodash)) | [`4.17.23` →
`4.18.1`](https://renovatebot.com/diffs/npm/lodash-es/4.17.23/4.18.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/lodash-es/4.18.1?slim=true)
|
![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/lodash-es/4.18.1?slim=true)
|
![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/lodash-es/4.17.23/4.18.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/lodash-es/4.17.23/4.18.1?slim=true)
|

---

### lodash vulnerable to Prototype Pollution via array path bypass in
`_.unset` and `_.omit`
[CVE-2026-2950](https://nvd.nist.gov/vuln/detail/CVE-2026-2950) /
[GHSA-f23m-r3pf-42rh](https://redirect.github.com/advisories/GHSA-f23m-r3pf-42rh)

<details>
<summary>More information</summary>

#### Details
##### Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype
pollution in the `_.unset` and `_.omit` functions. The fix for
[CVE-2025-13465](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg)
only guards against string key members, so an attacker can bypass the
check by passing array-wrapped path segments. This allows deletion of
properties from built-in prototypes such as `Object.prototype`,
`Number.prototype`, and `String.prototype`.

The issue permits deletion of prototype properties but does not allow
overwriting their original behavior.

##### Patches

This issue is patched in 4.18.0.

##### Workarounds

None. Upgrade to the patched version.

#### Severity
- CVSS Score: 6.5 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L`

#### References
-
[https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh)
-
[https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-2950](https://nvd.nist.gov/vuln/detail/CVE-2026-2950)
-
[https://github.com/advisories/GHSA-f23m-r3pf-42rh](https://redirect.github.com/advisories/GHSA-f23m-r3pf-42rh)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-f23m-r3pf-42rh)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### lodash vulnerable to Code Injection via `_.template` imports key
names
[CVE-2026-4800](https://nvd.nist.gov/vuln/detail/CVE-2026-4800) /
[GHSA-r5fr-rjxr-66jc](https://redirect.github.com/advisories/GHSA-r5fr-rjxr-66jc)

<details>
<summary>More information</summary>

#### Details
##### Impact

The fix for
[CVE-2021-23337](https://redirect.github.com/advisories/GHSA-35jh-r3h4-6jhm)
added validation for the `variable` option in `_.template` but did not
apply the same validation to `options.imports` key names. Both paths
flow into the same `Function()` constructor sink.

When an application passes untrusted input as `options.imports` key
names, an attacker can inject default-parameter expressions that execute
arbitrary code at template compilation time.

Additionally, `_.template` uses `assignInWith` to merge imports, which
enumerates inherited properties via `for..in`. If `Object.prototype` has
been polluted by any other vector, the polluted keys are copied into the
imports object and passed to `Function()`.

##### Patches

Users should upgrade to version 4.18.0.

The fix applies two changes:
1. Validate `importsKeys` against the existing
`reForbiddenIdentifierChars` regex (same check already used for the
`variable` option)
2. Replace `assignInWith` with `assignWith` when merging imports, so
only own properties are enumerated

##### Workarounds

Do not pass untrusted input as key names in `options.imports`. Only use
developer-controlled, static key names.

#### Severity
- CVSS Score: 8.1 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`

#### References
-
[https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-4800](https://nvd.nist.gov/vuln/detail/CVE-2026-4800)
-
[https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c](https://redirect.github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c)
-
[https://cna.openjsf.org/security-advisories.html](https://cna.openjsf.org/security-advisories.html)
-
[https://github.com/advisories/GHSA-35jh-r3h4-6jhm](https://redirect.github.com/advisories/GHSA-35jh-r3h4-6jhm)
-
[https://github.com/advisories/GHSA-r5fr-rjxr-66jc](https://redirect.github.com/advisories/GHSA-r5fr-rjxr-66jc)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-r5fr-rjxr-66jc)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>lodash/lodash (lodash-es)</summary>

### [`v4.18.1`]()

[Compare
Source](https://redirect.github.com/lodash/lodash/compare/4.18.0...4.18.1)

### [`v4.18.0`]()

[Compare
Source](https://redirect.github.com/lodash/lodash/compare/4.17.23...4.18.0)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Asia/Shanghai)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/voidzero-dev/vite-plus).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

pnpm-workspace.yaml

@@ -162,6 +162,8 @@ minimumReleaseAgeExclude:
   - vitepress
   - vitest
   - vue-virtual-scroller
+  # Renovate security update: lodash-es@4.18.1
+  - lodash-es@4.18.1
 overrides:
   '@rolldown/pluginutils': workspace:@rolldown/pluginutils@*
   rolldown: workspace:rolldown@*