The fix is already in range, there's no need for anyone in between to do anything, ever. All you need to do is update your lockfile.

Duplicate of #243. Duplicate of #242.

maybe just enable dependabot or have some sort automated process to bump the versions on vulnerable deps

I certainly could, but there's no value in doing so. That's the entire point of semver ranges - so intervening packages don't have to have their time wasted bumping deps when there's a security issue.

it is still an issue obviously if 3 people have opened PRs about it, it's a nuisance. we did the work for you all you have to do is approve the pr. you're putting more effort into explaining this than you otherwise would have to just approve the first pr

The effort in explaining it is worth the future benefit to me and the entire ecosystem of slightly fewer people wasting the time of unpaid volunteer open source maintainers.

The "nuisance" is that you haven't learned that all you need to do is update your lockfile, which both npm audit fix and dependabot (and friends) all do for you. It takes less time to fix your application than to even load up github.com to make this PR.

👍 got it - thanks for educating me! I thought i was helping but i ended up wasting your unpaid time - sorry man! i'll try to be better for you

I do appreciate the desire to help, but updating in-range dependencies isn't ever a helpful contribution for anyone.