Hi @SrivathsavGandrathi ,
Thank you for the heads up.
I think all marketplace vendors would like that Atlassian also ships software without critical vulnerabilities. However we have to deal with insecure software from Atlassian. For details see: https://community.developer.atlassian.com/t/raising-the-bar-on-marketplace-cloud-app-security-together/98750/4
In addition to insecure dependencies, e.g. Forge Cli also ships with obsolete dependencies like undici, as e.g. fetch is part of all supported runtimes on Forge.