While I am not opposed to this change, in an effort to reduce any churn it might cause, can you make a case for why this matters?

The use case for this module does not care at all for a redos because it is a cli tool. I made my very simple case for this here, and am not sure anything has changed.

Nothing, apart from github's security spam. Feel free to close.

Ok, will close. I brought this up to the people who matter, apparently something is coming soon to help with this kind of spam.

https://twitter.com/wesleytodd/status/1026253123449311232

That would be great, it would help all the way up the dependency chain.
Currently when I get a security alert, I step down the chain to the last responsive project.
Maybe that isn't a common response.

Yeah, I think the it is a good response, even if it is not common. I do the same thing usually.

The problem is that the tooling is very broad in its messaging because it cannot tell if you are using the package in a vulnerable way, especially if it is deep in the dep tree. Hopefully in the future the tool maintainers can help here.

To follow up, I just published v1.6.2 with the patched version of node-slug.

Fixed here: dodo/node-slug#82