security: patch protobufjs, basic-ftp, lodash advisories

Bumps three transitive dependencies in package-lock.json via `npm audit fix`
(non-breaking, no changes to package.json):

- protobufjs 7.2.5 -> 7.5.5  (APS-18801, GHSA-xq3m-2v4x-88gg, RCE)
- basic-ftp   5.2.0 -> 5.3.0 (APS-18762, GHSA-chqc-8p9q-pq6q, CRLF injection)
- lodash      4.17.21 -> 4.18.1 (APS-18683, GHSA-r5fr-rjxr-66jc, code injection)

Verified end-to-end on BrowserStack — sample Playwright suite passes 3/3
across Win11 Chrome, OS X Ventura playwright-webkit, Win11 playwright-firefox.
Build: https://automate.browserstack.com/dashboard/v2/builds/b357e4e033cee6b53239c969632d603ffa481031

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: karanshah-browserstack