v6 has been released as flexible-xml-parser. Current code in the repository would be removed soon. It has no interference with current version code. So dont report any vulenrability in v6.

Please also carefully check if prototype pollution is causing any damage or is it just a false alarm.

If you believe you have found a security vulnerability in this repository which can be potentially harful for the users in anyway, please do not report security vulnerabilities through public GitHub issues. Instead, please report it to us as described below.

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.