A flaw was found in merge-deep 3.0.2. A prototype pollution issue of Object.prototype via a constructor payload may lead to denial of service and other consequences. References: https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
Most probably this is upstream PR: https://github.com/jonschlinkert/merge-deep/pull/17/files
External References: https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
Statement: In OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the merge-deep, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.