fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269)

- lodash: ^4.17.21 -> ^4.18.1 (CVE-2026-4800, CVE-2026-2950, CVE-2025-13465)
- svelte: 5.53.3 -> 5.55.1 (CVE-2026-27902, CVE-2026-27901)
- @sveltejs/kit: 2.53.0 -> 2.55.0 (DoS via form deserialization)
- storybook: ^8.6.11 -> ^8.6.18 (CVE-2026-27148)
- tar-fs: >=2.1.2 -> ^3.1.2 (CVE-2025-59343)

Resolves Dependabot alerts #233, #232, #159, #204, #203, #194, #193, #207, #192, #127.

Author: rossnelson

package.json

@@ -127,23 +127,23 @@
     "@eslint/js": "^9.39.2",
     "@grpc/grpc-js": "^1.8.22",
     "@playwright/test": "^1.55.1",
-    "@storybook/addon-a11y": "^8.6.11",
-    "@storybook/addon-actions": "^8.6.4",
-    "@storybook/addon-docs": "^8.6.11",
-    "@storybook/addon-essentials": "^8.6.11",
-    "@storybook/addon-interactions": "^8.6.11",
-    "@storybook/addon-links": "^8.6.11",
+    "@storybook/addon-a11y": "^8.6.18",
+    "@storybook/addon-actions": "^8.6.18",
+    "@storybook/addon-docs": "^8.6.18",
+    "@storybook/addon-essentials": "^8.6.18",
+    "@storybook/addon-interactions": "^8.6.18",
+    "@storybook/addon-links": "^8.6.18",
     "@storybook/addon-svelte-csf": "^5.0.10",
-    "@storybook/addon-themes": "^8.6.11",
-    "@storybook/blocks": "^8.6.11",
+    "@storybook/addon-themes": "^8.6.18",
+    "@storybook/blocks": "^8.6.18",
     "@storybook/icons": "^1.4.0",
-    "@storybook/svelte": "^8.6.11",
-    "@storybook/sveltekit": "^8.6.11",
-    "@storybook/test": "^8.6.11",
+    "@storybook/svelte": "^8.6.18",
+    "@storybook/sveltekit": "^8.6.18",
+    "@storybook/test": "^8.6.18",
     "@storybook/test-runner": "^0.22.0",
     "@sveltejs/adapter-static": "^3.0.8",
     "@sveltejs/adapter-vercel": "^6.3.2",
-    "@sveltejs/kit": "2.53.0",
+    "@sveltejs/kit": "2.55.0",
     "@sveltejs/vite-plugin-svelte": "^6.2.4",
     "@temporalio/activity": "1.15.0",
     "@temporalio/client": "1.15.0",
@@ -190,7 +190,7 @@
     "husky": "^8.0.3",
     "jsdom": "^20.0.3",
     "lint-staged": "^16.2.7",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "mkdirp": "^2.1.3",
     "mock-socket": "^9.1.5",
     "nanoid": "^5.1.5",
@@ -215,19 +215,19 @@
     "remark-parse": "^10.0.2",
     "remark-toc": "^8.0.1",
     "rimraf": "^4.3.1",
-    "storybook": "^8.6.11",
+    "storybook": "^8.6.18",
     "stylelint": "^17.0.0",
     "stylelint-config-recommended": "^18.0.0",
     "stylelint-config-standard": "^40.0.0",
-    "svelte": "5.53.3",
+    "svelte": "5.55.1",
     "svelte-check": "^4.1.5",
     "svelte-eslint-parser": "^1.4.1",
     "svelte-highlight": "^7.8.2",
     "svelte-loader": "^3.2.4",
     "svelte-preprocess": "^6.0.3",
     "svelte2tsx": "^0.7.35",
     "tailwindcss": "^3.4.1",
-    "tar-fs": ">=2.1.2",
+    "tar-fs": "^3.1.2",
     "tslib": "^2.4.1",
     "typescript": "^5.2.2",
     "typescript-eslint": "^8.54.0",
@@ -248,11 +248,25 @@
   },
   "pnpm": {
     "overrides": {
-      "devalue": "5.6.2",
+      "devalue": "5.6.4",
       "axios": "1.12.0",
       "cookie": "0.7.0",
       "micromatch": "^4.0.8",
-      "esbuild": "^0.25.0"
+      "esbuild": "^0.25.0",
+      "serialize-javascript": "^7.0.5",
+      "picomatch@>=4": "^4.0.4",
+      "rollup": "^4.60.1",
+      "flatted": "^3.4.2",
+      "tar": "^7.5.13",
+      "minimatch@>=3 <4": "^3.1.5",
+      "minimatch@>=5 <6": "^5.1.9",
+      "minimatch@>=8 <9": "^8.0.7",
+      "minimatch@>=9 <10": "^9.0.9",
+      "minimatch@>=10": "^10.2.5",
+      "koa": "^3.2.0",
+      "yaml": "^2.8.3",
+      "qs": "^6.15.0",
+      "effect": "^3.21.0"
     },
     "onlyBuiltDependencies": [
       "@swc/core",