deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords().