Versions of @blackprint/engine from 0.8.12 to 0.9.1 are vulnerable to prototype pollution. The function setDeepProperty
recursively assign the source property to the destination with out proper validation which can be exploited by an attacker by modifying the prototype of Object
using a payload like: [["__proto__"], "..."]
(async () => {
const lib = await import('@blackprint/engine');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));