Severity: Critical
CVSS Score: 7.3
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .