Release process regarding vulnerability fix PRs

I use jsreport for a project in which we run SNYK every now and then, in which jsreport tends to show up through some npm packages (directly or inderictly).
In the last few weeks we have created some PRs to resolve some of these vulnerabilities (mine was closed, but that is beside the point).
If we create PRs and get them merged, will this result in a new release being made which contains just the fix for the vulnerability, or would we still need to wait for you to decide when a release is ready?