A quick workaround if you're affected by a deep dependency and don't rely on stylus directly - add `"overrides": {"stylus": "0.0.1-security"}` to your package.json