npm install of Kartotherian shows
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
The vulnerability is that a specially crafted Set-Cookie can cause the service to block for excessive amounts of time.
I think this comes in from our use of request@2.81.0.