merge@1.2.1 is vulnerable to prototype pollution via _recursiveMerge

According to npm audit, one of Twing's dependencies, merge@1.2.1, is vulnerable to prototype pollution via _recursiveMerge:

# Run  npm install merge@2.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ merge                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ merge                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ merge                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1666                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I had a go at updating merge on a local copy of Twing and after updating package.json, I've managed to successfully build Twing and all tests pass without any further modifications.

I'm happy to provide a pull request, although unless I've missed something all it'll involve is updating package.json.

Edited Jun 01, 2021 by Damien Dart

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information