Ok, so I haven't fixed this yet, mostly because of my compete unfamiliarity with the secure-scuttlebutt module.

I should also note that I'm using a fork of scuttlebot from lts, so I'm not exactly using the latest ssb either. The connections layer doesn't work for me, so I can't use the last three major version of ssb over here.

I tried just commenting out the unboxer stuff, and that didn't work because errors started throwing in all kinds of flume modules that I have no control over.

My first step has been getting more familiar with how secure-scuttlebutt works, and how it has changed over time. In the process I did discover when this vulnerability was introduced: