the jsdoc was updated, but it used some straight quotes where backticks
were desired

…cs (#6099)

…6153)

* fix(fromPairs): use baseAssignValue for consistent assignmenet

* chore: update dist/

… traversal

Block `constructor` and `prototype` unconditionally as non-terminal
traversal keys in baseUnset, matching the approach already used by
baseSet. The previous guard only blocked the specific two-key sequence
`constructor` → `prototype`, allowing attackers to:
- Delete static methods from built-in constructors (Object.keys,
  Array.isArray, String.fromCharCode) via paths like
  `['constructor', 'keys']`
- Delete built-in prototype methods (toFixed, toLowerCase, valueOf)
  via primitive roots like `_.unset(0, 'constructor.prototype.toFixed')`
- Bypass checks entirely using array-wrapped path segments like
  `[['constructor'], ['keys']]` which evaded the string-only key check
The primitive root exception that previously allowed constructor.prototype
traversal from primitives (e.g., `_.unset(0, 'constructor.prototype.a')`)
is removed as it enabled deletion of properties on shared built-in
prototypes. Path segments are now normalized with toKey() before
validation.

Fixes an incomplete patch for CVE-2021-23337. The `variable` option was validated against `reForbiddenIdentifierChars` but `importsKeys` was left unguarded, allowing code injection via the same `Function()` constructor sink.

This patch:
1. Validates `importsKeys` against `reForbiddenIdentifierChars`
2. Replaces `assignInWith` with `assignWith` when merging imports

Ref: https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
Ref:  CVE-2026-4800

---------

Co-authored-by: Jon Church <me@jonchurch.com>