Is buddy still maintained? I opened a PR against it 22 days ago for a CVE in its deps and it has gone unanswered. https://github.com/funcool/buddy-core/pull/75 I note that buddy-auth says it is looking for a maintainer.
sorry for late response, I will manage a release this days with your fix, meanwhile you can just force the dependency on your own deps