Old insecure tough-cookie present in meteor’s nodejs 14

Copied from Slack

The 3rd party package tough-cookie is present in a very old version with a critical vulnerability in the meteor nodejs 14 build/docker image. Why is it even there?

image

usr/local/v14.21.4/lib/node_modules/npm/node_modules/tough-cookie/package.json

First, is this an issue in Meteor 3?