The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
https://snyk.io/vuln/SNYK-JS-TOTAL4-1130527
https://github.com/totaljs/framework4/commit/8a72d8c20f38bbcac031a76a51238aa528f68821
https://github.com/totaljs/framework4/blob/master/utils.js%23L5430-L5455