chore(deps): resolve 3rd-party vulnerabilities (MBL-1690)

[mahmoud-elmorabea]

Summary

Addresses MBL-1690 — Fix 3rd-party vulnerabilities (Non-Breaking) in customerio-reactnative.

Adds npm overrides to push transitive deps to patched versions per Socket advisories.

Package	From	To	Advisory
lodash	4.17.23	4.18.0	GHSA-f23m-r3pf-42rh (CVE-2026-4800, CVE-2026-2950)
@eslint/plugin-kit	0.2.8	0.3.4	GHSA-xffm-g5w8-qvg7

Notes

• Manifest-only change (package.json). package-lock.json will be regenerated by CI.
• Both targets are devDependency transitives (eslint, build tooling) — runtime SDK is unaffected.

Test plan

• CI green on this PR (npm install resolves overrides without peer-dep failures).

🤖 Generated with Claude Code

---

Note

Low Risk
Dependency override/lockfile-only changes affecting primarily dev tooling; main risk is unexpected install/CI breakage due to resolution or peer-dependency conflicts.

Overview
Adds npm overrides to force patched transitive dependency versions (notably lodash and @eslint/plugin-kit) to address reported third‑party vulnerabilities.

Updates the lockfile to reflect the overridden resolutions (including @eslint/plugin-kit pulling a newer @eslint/core) and bumps the package version to 6.4.2.

^{Reviewed by Cursor Bugbot for commit 2777f50. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Sample app builds 📱

Below you will find the list of the latest versions of the sample apps. It's recommended to always download the latest builds of the sample apps to accurately test the pull request.

---

• iOS APN: 585.3.0 (29625919)
• iOS FCM: 585.3.0 (29625919)
• Android APN: 585.3.0 (29625919)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5f9e2b5. Configure here.}