The current package.json depends on eslint-find-rules@3.6.1, which in turn depends on yargs@8.0.2 and yargs-parser@7.0.0, which suffers from this moderate-severity vuln, causing audit failures.
Updating to eslint-find-rules@4 (current version is 4.1.0) should fix this issue, but I'm not yet sure what if anything else it might break. Support for ESLint 8.x and dropping ESLint 7.x is what's labeled as a breaking change,

This would also resolve an issue with a moderate-severity vuln in mem <4 and another in ansi-regex >2.1.1 <5.0.1.

I just arrived here too via the same path, @wbt . I think the best option may be to just fork under the winstonjs org and update that? Hopefully that is cool with @indexzero ? (Other solutions welcomed!)

Fortunately, it's just a dev dependency in Winston so the affected population is pretty tiny.