All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
The MITRE CVE dictionary describes this issue as: