All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.