chore(security): audit Dependabot alerts and remove redundant resolutions

[PMerlet]

Summary

0 fixed, 0 ignored, 1 deferred, 0 resolutions added, 2 resolutions removed. | label: 🔒 security applied

Fixed

None.

Ignored

None.

Deferred

• feat(form): add separator layout element #69 — ip-address (npm, dev/transitive). Created 2026-05-06, less than 7 days old; deferred to next run per the age gate.

Resolutions added

None.

Resolutions removed

File	Pinned package + version	Reason
package.json	lodash ^4.18.0	Redundant. With the resolution removed and a fresh yarn install, the natural transitive ranges (^4.17.4, ^4.17.15) resolve to lodash@4.18.1, which already satisfies ^4.18.0. Verified via yarn why lodash.
package.json	lodash-es ^4.18.0	Redundant. With the resolution removed and a fresh yarn install, the natural transitive range (^4.17.21) resolves to lodash-es@4.18.1, which already satisfies ^4.18.0. Verified via yarn why lodash-es.

The semantic-release-slack-bot/**/micromatch: ^4.0.8 resolution is kept — without it, the semantic-release-slack-bot chain falls back to micromatch@4.0.2 (still vulnerable to ReDoS). Verified by removing and re-installing.

Risks

No behavior change. The redundant lodash/lodash-es pins were no-ops at the registry level — removing them yields the same resolved versions (4.18.1) the lockfile already had. Lockfile diff is large because Yarn re-orders entries on a fresh install, but the resolved versions of lodash@4.18.1, lodash-es@4.18.1, and micromatch@4.0.8 are unchanged.

Manual testing

Covered by CI.

Validation

✅ CI green