After I forked internally, dependabot found that minimist has a critical vulnerability.

minimist is coming as part of the dependencies of random-message.

Though this is a dev dependency and will not affect production, it would be good to avoid this altogether.