A patch came out today for 4.8.4 which corrects this. I see that package.json specifies engines >=4.1 <5 which does indeed resolve to the latest 4,.x which would become 4.8.4 at the next reboot.
Make some change and then re-deploy, so as to trigger it to reboot the dynos, which will recompile them and use 4.8.4
Heroku announced a vulnerability in Node 4.8.x today https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
A patch came out today for 4.8.4 which corrects this. I see that
package.jsonspecifies engines>=4.1 <5which does indeed resolve to the latest 4,.x which would become 4.8.4 at the next reboot.Make some change and then re-deploy, so as to trigger it to reboot the dynos, which will recompile them and use 4.8.4