merge is vulnerable to prototype pollution. A bypass of the fix for CVE-2018-16469 exists and allows arbitrary properties of the Object prototype to be added or modified via JSON.parse.