Bump lodash 4.18.1 to address CVEs (#5744)

* Bump lodash to 4.18.1

* rush change

* New snapshots

* rush change for snapshots

---------

Co-authored-by: Camille Malonzo <cmalonzo@users.noreply.github.com>

Author: cmalonzo

apps/api-extractor/package.json

@@ -70,7 +70,7 @@
     "@rushstack/terminal": "workspace:*",
     "@rushstack/ts-command-line": "workspace:*",
     "diff": "~8.0.2",
-    "lodash": "~4.17.23",
+    "lodash": "~4.18.1",
     "minimatch": "10.2.3",
     "resolve": "~1.22.1",
     "semver": "~7.5.4",

build-tests/localization-plugin-test-02/package.json

@@ -19,7 +19,7 @@
     "@types/webpack-env": "1.18.8",
     "eslint": "~9.37.0",
     "html-webpack-plugin": "~4.5.2",
-    "lodash": "~4.17.23",
+    "lodash": "~4.18.1",
     "local-node-rig": "workspace:*",
     "webpack": "~4.47.0",
     "webpack-bundle-analyzer": "~4.5.0",

common/changes/@microsoft/api-extractor/lodash-4.18.0_2026-04-03-02-33.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/api-extractor",
+      "comment": "Bump lodash 4.18.1 to address CVEs GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@microsoft/api-extractor"
+}

common/changes/@microsoft/webpack5-load-themed-styles-loader/lodash-4.18.0_2026-04-03-03-26.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/webpack5-load-themed-styles-loader",
+      "comment": "",
+      "type": "none"
+    }
+  ],
+  "packageName": "@microsoft/webpack5-load-themed-styles-loader"
+}

common/changes/@rushstack/heft-jest-plugin/lodash-4.18.0_2026-04-03-02-33.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/heft-jest-plugin",
+      "comment": "Bump lodash 4.18.1 to address CVEs GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/heft-jest-plugin"
+}

common/changes/@rushstack/npm-check-fork/lodash-4.18.0_2026-04-03-02-33.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/npm-check-fork",
+      "comment": "Bump lodash 4.18.1 to address CVEs GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/npm-check-fork"
+}

common/changes/@rushstack/webpack5-localization-plugin/lodash-4.18.0_2026-04-03-03-26.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/webpack5-localization-plugin",
+      "comment": "",
+      "type": "none"
+    }
+  ],
+  "packageName": "@rushstack/webpack5-localization-plugin"
+}

common/config/subspaces/build-tests-subspace/pnpm-lock.yaml

@@ -1,6 +1,6 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "b521001fa31a13e992f9979b1292951aa6452daa",
+  "pnpmShrinkwrapHash": "967e60740795b25261512968354cceda53130bcd",
   "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
-  "packageJsonInjectedDependenciesHash": "a9488da9faaa4bc0166edfe82f2177d7a68e4cb1"
+  "packageJsonInjectedDependenciesHash": "6417db1e9dbcaa9495436f79173389a7d13cba78"
 }