I just updated from Strapi 4.12.1 to 4.13.5 as 4.13.1 was declared vulnerable. I usually ignore these "update ready" prompts because I don't want to update too often.
I think a more intrusive and attention-grabbing prompt should be shown to admins when a vulnerability is found, so they can act faster. This prompt should also include the date that the vulnerability will be publicly disclosed.