All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function.