Hi @yen,
See my response to your earlier post. Long story short, these libraries do not always present a usable attack surface, and in those cases we may not rush to update them. We don’t believe that OJS 3.4.0-4 presents a risk with the issues above due to the way we use those libraries/resources.
Thanks,
Alec Smecher
Public Knowledge Project Team