Severity: Critical
CVSS Score: 7.3
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.