Ok, so I haven't fixed this yet, mostly because of my compete unfamiliarity with the secure-scuttlebutt
module.
I should also note that I'm using a fork of scuttlebot from lts, so I'm not exactly using the latest ssb either. The connections layer doesn't work for me, so I can't use the last three major version of ssb over here.
I tried just commenting out the unboxer
stuff, and that didn't work because errors started throwing in all kinds of flume modules that I have no control over.
My first step has been getting more familiar with how secure-scuttlebutt
works, and how it has changed over time. In the process I did discover when this vulnerability was introduced: