CVE-2022-23494 seems to affect tinyMCE versions <5, and mosaico currently uses tinyMCE v4.9.11 as default. #644 added support for newer tinyMCE versions and, indeed, I could just npm install tinymce@5 and then use grunt build(with a few gruntfile changes) to create a mosaico distribution that uses tinyMCE 5.10.7 instead of the vulnerable 4.9.

However, package.json.NOTES state

• tinymce is "locked" to 4.9.x because our skin, build code, and css overrides
  still rely on 4.x.

Are there any plans of updating mosaico to ship with tinyMCE 5 by default? Or maybe a separate branch? Is current mosaico even vulnerable to CVE-2022-23494 due to the underlying tinyMCE?

What's the status on this?