The mask-passwords plugin contains CVE-2019-10370 for which there is no released fix; however, the Logstash plugin depends on this plugin:
https://github.com/jenkinsci/logstash-plugin/blob/master/pom.xml#L162
The dependency you link to is only used in test (as can be seen by it's scope).
I fail to see why it would be a problem. Please reopen if I'm missing something
In the Jenkins UI "This plugin cannot be uninstalled it has one or more dependents Logstash" when I hover over "Uninstall" for "Mask Passwords Plugin"
Please try upgrading the plugin to latest version, as old versions depended on mask-passwords