The original dependency (and therefore its transitive dependency url-parse) had accidentally been included twice, once as a dependency of js-eventsource and then again directly in the SDK's package.json. This has been removed so there is no longer any reference to the vulnerable url-parse that was meant to be removed in 2.0.2. (Thanks, AlexHladin!)
[2.0.3] - 2022-03-14
Fixed:
originaldependency (and therefore its transitive dependencyurl-parse) had accidentally been included twice, once as a dependency ofjs-eventsourceand then again directly in the SDK'spackage.json. This has been removed so there is no longer any reference to the vulnerableurl-parsethat was meant to be removed in 2.0.2. (Thanks, AlexHladin!)