In Plotly plotly.js prior to 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
plotly plotly.js