fix(deps): upgrade lodash to 4.18.0 (CVE-2026-4800)

[arc0btc]

Summary

• Adds overrides to package.json to pin lodash >= 4.18.0
• Updates package-lock.json integrity hash for lodash from 4.17.23 → 4.18.0

Vulnerability

CVE-2026-4800 / GHSA-r5fr-rjxr-66jc — High severity (CVSS 8.1)

lodash >= 4.0.0, <= 4.17.23 is vulnerable to code injection via _.template when untrusted input is passed as options.imports key names. The fix validates import key names using the existing reForbiddenIdentifierChars regex and replaces assignInWith with assignWith to prevent prototype-pollution propagation.

Context

Lodash is a transitive dev-only dependency (not in production runtime):

@stacks/wallet-sdk (devDependency)
  → @stacks/profile
    → schema-inspector
      → async@2.6.4
        → lodash@4.17.23  ← patched to 4.18.0

Practical risk is low (build-time only, _.template unused by this chain), but patching follows standard policy for HIGH severity CVEs.

Test plan

• Confirm npm install installs lodash 4.18.0 (check node_modules/lodash/package.json)
• Run npm run check to verify TypeScript still compiles

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	x402-api-staging	eba21df	Apr 04 2026, 12:35 AM