GHSA-mhwj-73qx-jqxm: @theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function

May 11, 2026

@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject __proto__ keys that mutate Object.prototype, affecting all objects in the Node.js runtime.

References

github.com/TheeCryptoChad/merge-guard/commit/25e4b4f2618578a656ef3cb4946a1b475f736736
github.com/TheeCryptoChad/merge-guard/security/advisories/GHSA-mhwj-73qx-jqxm
github.com/advisories/GHSA-mhwj-73qx-jqxm

Code Behaviors & Features

Detect and mitigate GHSA-mhwj-73qx-jqxm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →