fix: override lodash to >=4.18.0 to resolve CVEs

[Marcusg62]

Summary

• Adds npm overrides for lodash and lodash-es to force >=4.18.0 across all transitive dependencies
• Resolves two high-severity vulnerabilities in lodash <=4.17.23:
  • GHSA-r5fr-rjxr-66jc — Code Injection via _.template imports
  • GHSA-f23m-r3pf-42rh — Prototype Pollution via _.unset and _.omit
• The vulnerable versions are transitive dependencies via karma (lodash) and mermaid/chevrotain (lodash-es) — not direct dependencies of ngx-markdown
• Upstream fixes are pending (karma-runner/karma#3931, Chevrotain/chevrotain#2184), so overrides is the practical fix for now

Closes #635

Test plan

• npm ls lodash / npm ls lodash-es confirm 4.18.1 across the tree
• npm audit no longer reports lodash vulnerabilities
• Linter passes (npm run lint)
• All 112 unit tests pass (ng test)

[coveralls]

coverage: 96.759% (-0.2%) from 96.991%
when pulling 4729ec1 on Marcusg62:fix/lodash-vulnerability
into 1080ff9 on jfcere:master.

[jfcere]

You've updated the package.json of the repository that is used for unit testing and the demo, this won't affect the library. The workaround would be for consumers to override lodash and lodash-es in their own package.json while waiting for mermaid to update their dependencies.

[Marcusg62]

omg, that's embarrassing. yeah I think just doing that in their own repos is the best call.

[Marcusg62]

This is my first time ever trying to contribute a fix to anything opensource, would love to help out when mermaid and karma fix there stuff and bump those dependencies here in (in the right place 😅)

[jfcere]

No worries, but I doubt there will be anything to change once mermaid update their dependencies unless they do a major version bump.