Bumped lodash to 4.18.1 in ghost/core + override (TryGhost#27589)

no ref

Two changes work together to clear all 3 lingering `lodash` advisories:

1. `ghost/core` direct dep: `lodash` `4.17.23` → `4.18.1`
2. Root `pnpm.overrides`: `"lodash@<4.18.0": "^4.18.0"`

The direct edit alone was not enough — transitive consumers `@tryghost/limit-service` (in `admin-x-settings`) and `@testing-library/jest-dom` (in `admin-x-framework`) still pulled `lodash@4.17.x`, keeping the high and moderate advisories alive. The override forces every `lodash` consumer in the tree to `>=4.18.0`, collapsing the resolved tree to a single `lodash@4.18.1` instance.

`lodash` 4.17 → 4.18 is a minor bump within the 4.x major; the API and function signatures are unchanged.

The override is removable when `@tryghost/limit-service` and `@testing-library/jest-dom` each ship a release that declares `lodash >=4.18.0` directly.

Author: 9larsons

ghost/core/package.json

@@ -201,7 +201,7 @@
     "knex": "2.4.2",
     "knex-migrator": "5.3.2",
     "leaky-bucket": "2.2.0",
-    "lodash": "4.17.23",
+    "lodash": "4.18.1",
     "luxon": "3.7.2",
     "mailgun.js": "10.4.0",
     "metascraper": "5.45.15",

package.json

@@ -82,6 +82,7 @@
       "diff@<3.5.1": "^3.5.1",
       "diff@>=6.0.0 <8.0.3": "^8.0.3",
       "handlebars@>=4.0.0 <=4.7.8": "^4.7.9",
+      "lodash@<4.18.0": "^4.18.0",
       "minimatch@<3.1.4": "^3.1.4",
       "minimatch@>=9.0.0 <9.0.7": "^9.0.7",
       "qs@>=6.7.0 <=6.14.1": "^6.14.2",