All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.