chore(security): patch 4 Dependabot alerts

[PMerlet]

Summary

4 fixed, 0 ignored, 0 deferred, 0 resolutions added, 2 resolutions removed.

All four open Dependabot alerts are for lodash and lodash-es at 4.17.23. The root package.json already had resolutions pinning both to ^4.17.23 (vulnerable); bumping the pins to ^4.18.0 resolves them to 4.18.1 and closes all four alerts.

Fixed

Alert	Package	Ecosystem	From → To	Severity	Change
#65	lodash-es	npm	4.17.23 → 4.18.1	high	bumped root resolutions["lodash-es"] ^4.17.23 → ^4.18.0
#66	lodash-es	npm	4.17.23 → 4.18.1	medium	bumped root resolutions["lodash-es"] ^4.17.23 → ^4.18.0
#67	lodash	npm	4.17.23 → 4.18.1	high	bumped root resolutions["lodash"] ^4.17.23 → ^4.18.0
#68	lodash	npm	4.17.23 → 4.18.1	medium	bumped root resolutions["lodash"] ^4.17.23 → ^4.18.0

Why resolutions rather than a direct-dep bump: neither lodash nor lodash-es is a direct dev dependency. Both are pulled in transitively by the semantic-release tooling chain. The repo already uses Yarn resolutions as the mitigation channel, so bumping the existing pins is the minimal change.

Ignored

None.

Deferred

None — all four alerts are older than the 7-day gate (oldest 21 days, newest 13 days).

Resolutions added

None.

Resolutions removed

Audited every entry in resolutions after the lodash bumps. Processed one at a time with a fresh install between each to avoid compounding changes.

File	Entry	Reason
package.json	"js-yaml": "^4.1.1"	Redundant — with the pin removed, the natural dep tree still resolves js-yaml to 4.1.1 (via semantic-release > cosmiconfig and @commitlint/cli > @commitlint/load > cosmiconfig). yarn why js-yaml confirmed.
package.json	"ajv": "^8.18.0"	Redundant — with the pin removed, the natural dep tree still resolves ajv to 8.18.0 (via @commitlint/cli > @commitlint/load > @commitlint/config-validator). yarn why ajv confirmed.

The "semantic-release-slack-bot/**/micromatch": "^4.0.8" pin was also audited and kept: removing it causes semantic-release-slack-bot to pull micromatch@4.0.2 (vulnerable to the ReDoS patched in 4.0.8), so the pin is neither stale nor redundant.

Risks

• lodash 4.17.23 → 4.18.1 and lodash-es 4.17.23 → 4.18.1: patch-level bumps within the same major. Upstream release notes describe them as the security fixes for the two advisories above, with no documented API changes. Only consumers inside the semantic-release / @commitlint toolchain touch these packages — no runtime code in this repo imports lodash, so there is no impact on the shipped Ruby gem or any runtime behavior.
• js-yaml and ajv resolution removal: no version change — natural resolution produces exactly the same version that was pinned. Zero runtime risk.
• No behavior change beyond the patched vulnerabilities.

Manual testing

Covered by CI. The bumped packages are npm devDependencies used only by semantic-release at release time. CI (RuboCop + RSpec, all Ruby) does not exercise the npm toolchain on PRs; semantic-release only runs on merge to main/beta and will exercise the new lockfile there.

Validation

✅ CI green — all 33 Lint + Test + Coverage checks passed on both Ruby 3.4 and 4.0 matrices. Release package and Macroscope - Correctness Check are skipped as expected on PR branches.