@jonschlinkert @danez , Did you get a chance to have a look?
(sorry to use the @ I will only use this once in case you missed this PR)

I wonder why you didn't dispute the claim. I admit that using unset to modify an object's prototype is suspicious, but input sanitisation is not usualy done in such low-level methods.

unset({}, '__proto__.toLocaleString')
unset(Object.prototype, 'toLocaleString')

They could complain about Object.assign, but unset-value was an easier target ;-)

Object.assign(({})['__proto__'], { toString: undefined })
Object.assign(Object.prototype, { toString: undefined })

Except for the __proto__ property, which is unlikely to be used in real-world software, you disabled constructor and prototype anywhere, which can have valid real-world use cases, for example:

obj = { constructor: { fixed: true } }
unset(obj, 'constructor.fixed')

I think that reports from Mitre, Veracode, Snyk and other companies, which base their business on reporting vulnerabilities, should be validated more rigorously. In any case, this is about your package and you can decide about its interface an implementation, hopefully freely and not after blackmailing ;-)

But strictly speaking, this was a breaking change and you released it as a patch version!