All versions of package confucious are vulnerable to Prototype Pollution via the set function.