tinymce 4.x has a vulnerability, could mosaico be distributed with 5.x by default?

[BarbieroDB1]

CVE-2022-23494 seems to affect tinyMCE versions <5, and mosaico currently uses tinyMCE v4.9.11 as default. #644 added support for newer tinyMCE versions and, indeed, I could just npm install tinymce@5 and then use grunt build(with a few gruntfile changes) to create a mosaico distribution that uses tinyMCE 5.10.7 instead of the vulnerable 4.9.

However, package.json.NOTES state

• tinymce is "locked" to 4.9.x because our skin, build code, and css overrides
  still rely on 4.x.

Are there any plans of updating mosaico to ship with tinyMCE 5 by default? Or maybe a separate branch? Is current mosaico even vulnerable to CVE-2022-23494 due to the underlying tinyMCE?

What's the status on this?

[bago]

1. "Are there any plans of updating mosaico to ship with tinyMCE 5 by default?": no plans, as Tinymce versions are full of bugs and we found 4.9.11 is stable enough (and we added a lot of version specific workarounds and testing hours for this version);
2. "Or maybe a separate branch?": we accept contributions;
3. "Is current mosaico even vulnerable to GHSA-gg8r-xjwq-4w92 due to the underlying tinyMCE?": AFAIK no as the CVE is about "alerts" by plugins like the image plugin and we don't use them.