Browserify Sign is still vulnerable in 2.15

I know, the attack vector is not as critical as the npm audit might indicate but I think it’s a bad reputation if a newly created Meteor 2.15 project shows after npm install directly an npm audit issue:

npm audit
# npm audit report

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack -
fix available via `npm audit fix`

1 high severity vulnerability

To address all issues, run:
  npm audit fix

I would propose, that skeletons for new versions should have 0 audit issues, something that CI could handle.