Meteor does not come with any SSL support by default. So Meteor itself is not vulnerable to the popular HeartBleed bug. However, since you’ll be using some other service or tool to enable SSL for your Meteor app, you might have vulnerable to the bug. So, test your app against the HeartBleed bug and take necessary actions. Read the official Meteor blog.
In the last Devshop, we’ve seen the Meteor’s upcoming packaging system. But you might have some problems and need more clarifications about it. Follow this meteor-talk thread to learn more about the upcoming packaging system.