I know, the attack vector is not as critical as the npm audit might indicate but I think it’s a bad reputation if a newly created Meteor 2.15 project shows after npm install directly an npm audit issue:
npm audit
# npm audit report
browserify-sign 2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/meteor-node-stubs/node_modules/browserify-sign
1 high severity vulnerability
To address all issues, run:
npm audit fix
I would propose, that skeletons for new versions should have 0 audit issues, something that CI could handle.