What does the "package.json" dependency have to do with adding or changing a property at runtime?
The heart of this is that somebody has chosen inheritance and made sensitive variables public instead of private. You can blame Javascript's prototypical model as it's a zero-sum inheritance model (not the best), but really this seems like "researchers" burning grant money to state obvious things about this model. Although to be fair, a lot of JS tutorials give examples of how to add properties to the parent classes via child classes and call it an "elegant" usage of "advanced inheritance" ... so they get what they deserve.
Biting the hand that feeds IT
