A flaw was found in merge-deep 3.0.2. A prototype pollution issue of Object.prototype via a constructor payload may lead to denial of service and other consequences.
Most probably this is upstream PR:
In OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the merge-deep, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.