According to Snyk, stringstream has a vulnerability when run on Node.js 4.x and below.

The bug comes from this line : https://github.com/mhart/StringStream/blob/v0.0.5/stringstream.js#L32
More details can be found here : https://hackerone.com/reports/321670

Thank you for the package, by the way !