Thanks for clarifying!
Regarding the vulnerability: To me (and I guess many other v3 usecases that use strapi mostly as API with a login provided to a few administrators only) this is really good news! 
But to be future prove (and for the time an update is no option) Yes such patch-package instructions would be greatly appreciated.