fix(deps): pin lodash >= 4.18.0 to close Dependabot #18 + #19 (CVE-2026-4800)

Dependabot opened two High-severity alerts on lodash 4.17.23
arriving transitively via orval 7.x → @stoplight/spectral-* →
lodash 4.17.23:

  #19 — CVE-2026-4800 / GHSA-r5fr-rjxr-66jc:
        _.template imports key names → Function() constructor sink
        → arbitrary-code execution at template compile time
  #18 — Prototype pollution via array path bypass in _.unset / _.omit

Both alerts are tagged "Development dependency" by Dependabot —
lodash is only pulled by orval (the Phase 5 API client codegen)
and doesn't reach the production-served bundle. The risk is build-
time RCE during `npm run generate` against untrusted input or a
polluted Object.prototype. Worth fixing regardless.

Fix: add `"lodash": ">=4.18.0"` to the existing `overrides` block
in web/package.json. Force npm to dedupe every transitive lodash
edge onto the top-level 4.18.1 already resolved at the root.

Pre-fix lockfile state (web/package-lock.json):
  node_modules/lodash                                            → 4.18.1
  node_modules/@stoplight/spectral-functions/node_modules/lodash → 4.17.23
  node_modules/@stoplight/spectral-rulesets/node_modules/lodash  → 4.17.23

Post-fix:
  node_modules/lodash                                            → 4.18.1
  (the two nested copies are gone — deduplicated under the override)

Verification:
  cd web
  npm install --package-lock-only --no-audit
  node -e "const lock = require('./package-lock.json');
           for (const [k,v] of Object.entries(lock.packages||{}))
             if (k.includes('lodash') && !k.includes('lodash.'))
               console.log(k, v.version)"
    → node_modules/lodash 4.18.1     (only one entry)
  npm audit
    → found 0 vulnerabilities

Lockfile delta is -14 / +0 (the two nested 4.17.23 copies removed,
no new entries needed since 4.18.1 was already resolved at the root).
The `"lodash": "^4.17.21"` / `~4.17.21` requirements declared by
@stoplight/spectral-functions, spectral-rulesets, and orval itself
are still satisfied — `^4.17.21` accepts 4.18.x, and the override
forces every consumer to the same dedup'd version.

Lockfile-regen pattern lesson: per the standing rule from the
post-Phase-2 + post-Phase-5 lockfile-drift hotfixes, every commit
that edits web/package.json MUST regenerate web/package-lock.json
in the same commit via `npm install --package-lock-only --no-audit`.
This commit follows that rule.

Closes:
  https://github.com/certctl-io/certctl/security/dependabot/19
  https://github.com/certctl-io/certctl/security/dependabot/18

web/package-lock.json

@@ -2279,13 +2279,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-functions/node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-parsers": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-parsers/-/spectral-parsers-1.0.5.tgz",
@@ -2360,13 +2353,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-rulesets/node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-runtime": {
       "version": "1.1.5",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-runtime/-/spectral-runtime-1.1.5.tgz",

web/package.json

@@ -37,6 +37,7 @@
     "vitest": "^4.1.0"
   },
   "overrides": {
-    "picomatch": "^4.0.4"
+    "picomatch": "^4.0.4",
+    "lodash": ">=4.18.0"
   }
 }