CWE-1321

This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077

All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.