minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html