Holds if call
comes from a package named id
and is vulnerable to prototype pollution
in every version of that package.
Import path
import semmle.javascript.security.dataflow.PrototypePollutionCustomizations
predicate isVulnerableDeepExtendCallAllVersions(ExtendCall call, string id)