The package extend2 prior to 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
eggjs extend2