Advisories for Npm/Telejson package

telejson versions prior to 6.0.0 (released 2022) are vulnerable to DOM-based Cross-Site Scripting (XSS) through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function() without sanitisation, allowing arbitrary JavaScript execution.