It is not a real vulnerability. CVE rating 7.5 is nonsense. More like 2.5
They can’t even produce a working exploit. Some folks have found some slowdown for 100 million braces, which is nonsense. Would you personally build such regex?
There are no other packages to switch. They are either esm only, or very slow, or potentially dangerous with unknown maintainers. They can upload malware to chokidar users