Is there any reason to keep decompression deactivated by default from now on?

On a side note, the documentation still mentions about the decompress option: Do not enable unless required (see security note). I can't see any security note anymore (I remember the one that was there before when the decompression algorithm did not came from node's core). Maybe this note should be removed?

I guess I missed the note reference. I still don't think it should be enabled be default, as it still introduces an extra attack vector. Anyone who needs it can easily enable.