Severity: Critical
CVSS Score: 9.8
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.