Basically, yes. Horizon contributors generally can't fix a vulnerability *in* jQuery, though they may sometimes be able to implement a workaround for one in order to avoid exposing that vulnerability to users. Horizon contributors can, given available time and inspiration, make the software work with a newer version of jQuery which includes a fix for that vulnerability, but because we freeze dependency versions at release time that wouldn't be backportable (it's still a good thing to do, of course).
Basically, yes. Horizon contributors generally can't fix a vulnerability *in* jQuery, though they may sometimes be able to implement a workaround for one in order to avoid exposing that vulnerability to users. Horizon contributors can, given available time and inspiration, make the software work with a newer version of jQuery which includes a fix for that vulnerability, but because we freeze dependency versions at release time that wouldn't be backportable (it's still a good thing to do, of course).