The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3
https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631