When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example,
static(_dirname + '/public') would allow access to
_dirname + '/public-restricted'.
Upgrade to a version greater than or equal to 0.8.4.