Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Under certain circumstances an attacker can add or modify properties that will exist on all objects.
Created nodejs-deep-extend tracking bugs for this issue:
Affects: epel-all [bug 1578247]
Affects: fedora-all [bug 1578248]
NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected.