The fix for this issue was released a while back on their master branch but
no one packaged it into release. On the project website
<https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
released more than two years ago. It is vulnerable to this CVE.
It is worth mentioning someone on the project GitHub someone released
1.6rc1 last year and it includes the fix for this issue. You might want to
consider packaging this release but I am not very familiar with the jq
release process or found any documentation of it.