npm dependencies and vulnerability patching efforts

From my understanding express-status-monitor has specific versions of npm dependencies including handlebar listed in its package.json. A Snyk process is monitoring the vulnerabilities and submitting pull requests. These pull requests are checked out manually by the maintainer of the project and merged, followed by a manual release of a new npm version of express-status-monitor.

The problem that I am hoping we can solve is that it is taking too long for patched dependencies to make it to a new version of express-status-monitor on npmjs.com. In the meantime, npm keeps flagging the vulnerable dependencies for the consumers of express-status-monitor. I suspect you and any other maintainer of express-status-monitor are busy with other things and the manual effort is a challenge. I would like to suggest a few options to try to reduce the number of hygiene issues that are showing up for consumers of express-status-monitor:

1. Perhaps having another one or two maintainers to help out specifically with approving the snyk pull requests and to push updates to npmjs.com repo.
2. Changing the specific versions listed in package.json to a caret range (^). If the versions are caret ranges, when a consumer of express-status-monitor does an npm install (without a package-lock.json in their project), the latest version of sub dependency within the caret range gets picked and the vulnerability in the consumer gets resolved without the need for any updates to express-status-monitor or manual efforts.

Recent Handlebar vulnerabilities: DoS: patched in >=4.4.5 — https://npmjs.com/advisories/1300 Arbitrary Code Execution: patched in >=4.5.2 — https://npmjs.com/advisories/1316 Arbitrary Code Execution: patched in >=4.5.3 — https://npmjs.com/advisories/1324 Prototype Pollution: patched in >=4.5.3 — https://npmjs.com/advisories/1325