I need to consult this with the Developers as I ma not qualified to call this a false alarm, which I suspect it to be.
I will update you here.
Note that I deleted the complete content of your post, but saved it internally.
For the future, please use this form to submit potential security threats:
https://toolset.com/report-security-vulnerability-issues/
Thank you - I will update you here, or another supporter will.
I consulted this with the Developers and this should be a false alarm.
The only code that could provoke such a report is located at the very bottom of that file and is a harmless reference to a file mapping the transpiled script to the original source.
It's harmless, but included in that file by mistake and we will remove it (bugfix).
It's something that is not needed for the production version of the plugin and hence should be removed,
Thank you of the heads up, you can as well inform your Host service that this is a false alarm.
If any other reports come up please do not hesitate to use the form I shared above.