Forge cli npm package has dependencies to packages with high and critical vulnerability

Hello !

When installing "@forge/cli": "^6.21.0", I get the audit report with high and critical vulnerabilities.
I understand we are in a fast-paced environment, yet reading and audit report with critical and high vulnerabilities raises some concerns for me.

Any chance it gets addressed in the upcoming releases ?

Audit report below

# npm audit report

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/browserify-sign

loader-utils  2.0.0 - 2.0.3
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/loader-utils

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @forge/cli@0.23.0, which is a breaking change
node_modules/@forge/cli/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/@forge/cli/node_modules/cheerio/node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/@forge/cli/node_modules/cheerio
      @forge/bundler  <=0.0.0-experimental-fbe27f8 || >=0.7.11-next.0
      Depends on vulnerable versions of @forge/cli-shared
      Depends on vulnerable versions of @forge/lint
      Depends on vulnerable versions of cheerio
      node_modules/@forge/cli/node_modules/@forge/bundler
        @forge/cli  <=0.0.0-experimental-a9f00a0 || >=0.24.0-next.7
        Depends on vulnerable versions of @forge/bundler
        Depends on vulnerable versions of @forge/cli-shared
        Depends on vulnerable versions of @forge/lint
        Depends on vulnerable versions of @forge/manifest
        Depends on vulnerable versions of @forge/tunnel
        Depends on vulnerable versions of cheerio
        node_modules/@forge/cli
        @forge/tunnel  <=0.0.1-next.15 || >=0.5.5-next.0
        Depends on vulnerable versions of @forge/bundler
        Depends on vulnerable versions of @forge/cli-shared
        Depends on vulnerable versions of @forge/csp
        node_modules/@forge/cli/node_modules/@forge/tunnel
      @forge/cli-shared  >=0.12.2-next.0
      Depends on vulnerable versions of @forge/manifest
      Depends on vulnerable versions of cheerio
      node_modules/@forge/cli/node_modules/@forge/cli-shared
        @forge/lint  <=0.0.0-experimental-fbe27f8 || >=0.4.5-next.0
        Depends on vulnerable versions of @forge/cli-shared
        Depends on vulnerable versions of @forge/manifest
        node_modules/@forge/cli/node_modules/@forge/lint
      @forge/csp  *
      Depends on vulnerable versions of cheerio
      node_modules/@forge/cli/node_modules/@forge/csp
      @forge/manifest  <=0.0.0-experimental-fbe27f8 || >=2.3.1-next.0
      Depends on vulnerable versions of cheerio
      node_modules/@forge/cli/node_modules/@forge/manifest

12 vulnerabilities (11 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@FabienLydoire,

I think the best channel for reporting security vulnerabilities, and this concern, would be the Atlassian bug bounty program. The linked document describes some of the channels that would get the fastest attention, but you can also take the simple approach of emailing to: security@atlassian.com.