The vulnerability centers around prototype pollution during options merging. While no direct patch diffs are provided, all advisory descriptions consistently identify the root cause as unsafe deep merging in options processing. Chart.js' helper merge() functions are the logical location for this vulnerable operation, as they handle configuration merging. The high-confidence entry reflects the core merge utility directly handling object assignments, while the medium-confidence entry covers configuration-specific merging that would leverage the same vulnerable pattern. These functions would appear in stack traces when processing malicious options payloads.