Update vendored lodash to 4.18.1 (#94473)
### What?
Updates the vendored lodash dependency from `4.17.23` to `4.18.1` and
regenerates the compiled `jsonwebtoken` and `babel-packages` bundles.
### Why?
Next.js currently ships lodash `4.17.23` inside `dist/compiled`, which
triggers security scanners for CVE-2026-4800 / GHSA-r5fr-rjxr-66jc.
Consumers cannot override these vendored compiled copies.
Fixes #94449.
### How?
Bumped the root lodash pin and lockfile resolution, installed the
patched package, and reran the focused ncc tasks for the affected
compiled sources.
### Verification
- `pnpm --filter=next build`
- `grep -oE '4\.17\.[0-9]+'
packages/next/dist/compiled/jsonwebtoken/index.js
packages/next/dist/compiled/babel-packages/packages-bundle.js` produced
no matches
- `grep -oE '4\.18\.[0-9]+'
packages/next/dist/compiled/jsonwebtoken/index.js
packages/next/dist/compiled/babel-packages/packages-bundle.js` reported
`4.18.1` for both files
- `node -e "const
jwt=require('./packages/next/dist/compiled/jsonwebtoken'); const
token=jwt.sign({sub:'94449'}, 'secret'); const decoded=jwt.verify(token,
'secret'); if (decoded.sub !== '94449') throw new Error('jsonwebtoken
roundtrip failed'); console.log('jsonwebtoken roundtrip ok')"`
- `node -e "const
bundle=require('./packages/next/dist/compiled/babel-packages'); if
(typeof bundle.presetEnv !== 'function') throw new Error('presetEnv
export missing'); console.log('babel-packages export ok')"`
<!-- NEXT_JS_LLM_PR -->
