Yeah I saw this happen to me as well. Not sure why... When i went through updating my forum though, the ./nodebb upgrade step caught it.
I've since published 1.1.0 which upgrades the dependencies to something more recent, and less vulnerable. Apparently npm audit caught it but snyk didn't... 😕