Just installed pkgsrc-2019Q2, and I get the following message while trying to compile "jq" (/dev/jq):
$ bmake && bmake install
=> Bootstrap dependency digest>=20010302: found digest-20160304
===> Checking for vulnerabilities in jq-1.6
Package jq-1.6 has a denial-of-service vulnerability, see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutely essential.
*** Error code 1
points out that this denial-of-service is for jq 1.5, while distinfo (as well as the message above) indicate that jq is now version 1.6 in pkgsrc.
... which itself indicates the issue has been fixed in a commit in mid-August 2016.
I think we can safely assume jq 1.6 does not contain the vulnerability anymore. I believe the pkgsrc warning should be removed and/or modified to reflect these changes.