A fix has been published in npm for a significant security issue in A2 0.4 and 0.5.
People whose accounts have been moved to the trash were still able to log in, with all of their privileges intact.
To address this issue, update to the latest in the 0.4.x or 0.5.x series of the "apostrophe" module. If you are pinned on older versions, an alternative is to locate the relevant commits in the recent history of the "0.4" and "master" branches, respectively and generate patches for your project. For best security we recommend you roll up to the latest.
This bug does not appear in the "unstable" branch (which will soon be 0.6). 0.6 is not ready for production use and is mentioned just for completeness.
This bug also does not exist in the PHP-based Apostrophe 1.x series.
--
THOMAS BOUTELL, DEV & OPS