Hey @remie!
Inside of Atlassian we are consistently scanning these repositories for known vulnerabilities in third party packages. When they’re identified, we raise an internal vulnerability ticket for the team, and start the SLA for the team in line with our policy outlined here: Security Bugfix Policy | Atlassian.
Teams are generally good at adhering to these timeframes, but every once in a while something does go awry for whatever reason, and the timeframes get missed. In the events that does happen, we will obviously be flexible in how we address that dependency with people who are working with them downstream.
This specific scenario hasn’t been war-gamed out into a documented process for our team yet - but suffice to say that if we aren’t able to meet our SLA for whatever reason, then we’re obviously going to be reasonable about the flow on impact of that issue.
I hope that helps answer the question 
Cheers,
Matt