Dung Le

**Name of the Vulnerable Software and Affected Versions** @ianwalter/merge versions all **Description** The issue concerns Prototype Pollution via the main (`merge`) function. The maintainer suggests using @generates/merger instead, as @ianwalter/merge is deprecated. **Recommendations** For all versions, consider using @generates/merger as a replacement, as suggested by the maintainer, until a patch is available for @ianwalter/merge. As a temporary workaround, consider avoiding the use of the `merge` function in @ianwalter/merge to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** merge-change versions all **Description** The issue concerns Prototype Pollution via the `utils.set` function. This affects all versions of the package merge-change. **Recommendations** For all versions, consider disabling the `utils.set` function as a temporary workaround until a patch is available. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the `utils.set` function in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** record-like-deep-assign versions all **Description** The issue affects the main functionality of the package, allowing for Prototype Pollution. This occurs when an attacker can inject properties into an object's prototype, potentially leading to unintended behavior or security vulnerabilities. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For all versions, consider restricting the use of the `record-like-deep-assign` package until a fix is available, as it is vulnerable to Prototype Pollution via its main functionality. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ts-nodash versions prior to 1.2.7 **Description** The issue is related to Prototype Pollution via the Merge() function due to a lack of validation input. This affects the ts-nodash package. **Recommendations** For versions prior to 1.2.7, update to version 1.2.7 or later to resolve the issue. As a temporary workaround, consider disabling the `Merge()` function until a patch is available. Restrict access to the `Merge()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** lutils versions prior to a fixed version **Description** The issue concerns Prototype Pollution via the main (merge) function. This allows for potential manipulation of the prototype, which can lead to various security issues. **Recommendations** For all versions of lutils, update to a version that includes a fix for the Prototype Pollution issue in the main (merge) function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.