All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function.
js-data js-data