diff --git a/lib/index.js b/lib/index.js
index d90f14fbe..1c253fa94 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -1,3 +1,8 @@
+// This is the temporary fix for https://snyk.io/vuln/SNYK-JS-PREDEFINE-1054935
+// The vulnerability is introduced via snyk-broker@* › primus@6.1.0 › fusing@1.0.0 › predefine@0.1.2
+// We require predefine early to replace vulnerable function `merge` with not vulnerable analog `lodash.merge`.
+require('predefine').merge = require('lodash.merge');
+
 require('clarify'); // clean the stacktraces
 const path = require('path');
 const yaml = require('js-yaml');
diff --git a/package.json b/package.json
index 441a13efe..fe59cf0ca 100644
--- a/package.json
+++ b/package.json
@@ -62,6 +62,7 @@
     "js-yaml": "^3.13.1",
     "lodash.escaperegexp": "^4.1.2",
     "lodash.mapvalues": "^4.6.0",
+    "lodash.merge": "^4.6.2",
     "minimatch": "^3.0.4",
     "minimist": "^1.2.5",
     "node-cache": "^5.1.0",
diff --git a/test/unit/predefine-pp-hotfix.test.ts b/test/unit/predefine-pp-hotfix.test.ts
new file mode 100644
index 000000000..43fcfbdbb
--- /dev/null
+++ b/test/unit/predefine-pp-hotfix.test.ts
@@ -0,0 +1,11 @@
+describe('predefine prototype pollution', () => {
+  it('is not exploitable', () => {
+    require('../../lib/index');
+
+    require('primus').prototype.merge(
+      {},
+      JSON.parse('{"__proto__": {"a": "b"}}'),
+    );
+    expect(({} as any).a).toBeUndefined();
+  });
+});