Fix prototype pollution in unflatten

[MatthiasKunnen]

The unflatten function contains a prototype pollution vulnerability. I've added a test and fix.

I've tested back to 1.0.0 and all versions are vulnerable.

This fixes #105 .

[deleonio]

Hello, ist that possible to merge in all releases. The major release ...

1.6.1
2.0.0
3.0.0
4.1.0
5.0.0

[timoxley]

Backported fix and released new major versions:

• 1.6.2
• 2.0.2
• 3.0.1
• 4.1.2
• 5.0.2

Deprecated all versions of flat without the fix.

Thanks a lot

[DevRCRun]

hello

I'm here following a snyk report looking for the 4.1.2 release as it doesn't appear to be available via npm, the same looks to have been true of 4.1.1

#110

Could you push the new major versions there please? (unless I'm missing something obvious!)

[timoxley]

@DevRCRun Fixed.

[cythrawll]

So our group fails builds if they have a certain SYNK threshold package in them. The SYNK says latest fixed version is 4.1.2 so a build with 4.1.1 doesn't meet the criteria. Can either 4.1.2 be published for this or SYNK corrected?