Fix npm security vulnerabilities

[ditto-integrations]

Summary

• @babel/plugin-transform-modules-systemjs → 7.29.4 (CVE-2026-44728)
• @babel/plugin-transform-modules-systemjs → 7.29.4 (CVE-2026-44728)
• basic-ftp → 5.3.1 (CVE-2026-44240)
• lodash → 4.18.0 (CVE-2026-4800)

Resolves: SPO-921

Workflow run

Note: Target versions are sourced from Tines and may not always
reflect the latest or most appropriate release (e.g. a version may
be deprecated upstream). Please verify that the resolved versions
in lockfiles are suitable.

Test plan

• CI passes
• No new high/critical vulnerabilities in affected lockfiles
• Affected SDK/component builds successfully

Generated by Tines + Claude Code

[Copilot]

Pull request overview

This PR updates npm dependency versions to remediate reported security vulnerabilities (SPO-921), primarily by bumping lodash and pinning vulnerable transitive packages via npm overrides, with corresponding lockfile updates.

Changes:

• Pin transitive dependencies via overrides (e.g., @babel/plugin-transform-modules-systemjs@7.29.4, basic-ftp@5.3.1).
• Bump lodash devDependency to ^4.18.0.
• Regenerate/update lockfiles to reflect the new resolved dependency graph.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package.json	Adds overrides entries for vulnerable transitive deps; bumps lodash version range.
package-lock.json	Updates resolved versions for lodash, Babel toolchain deps, and basic-ftp.
examples/vite-typescript-example/package.json	Adds an overrides pin for @babel/plugin-transform-modules-systemjs.
examples/vite-typescript-example/package-lock.json	Updates lockfile entries for lodash range and @babel/plugin-transform-modules-systemjs resolution.

Files not reviewed (1)

• examples/vite-typescript-example/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.