This patch includes a requested security feature for denying symlinks. Enable, using --deny-symlinks flag and symlinks will receive a "Forbidden" response for all files that are symlinks.
Node Security Advisory
https://www.npmjs.com/advisories/816
HackerOne Reprot
https://hackerone.com/reports/530289