All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.