JavascriptJavaScript `eval()` / `new Function()` on untrusted inputApril 25, 2026Prototype pollution — `merge`, `assign`, and friendsApril 25, 2026