A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Note that this issue was reported for the node.extend package:
What is included in various Red Hat products is extend package:
Closing this since I mistakenly confused nodejs.extend package with nodejs-extend. As noted bug 1672402, comment 1 this vulnerability is for nodejs.extend while the package we ship is nodejs-extend