flux version 4.0.2 contains a nested transitive dependency on version 2.6.1 of node-fetch

flux/4.0.2
    fbjs/3.0.0
        cross-fetch/3.1.4
            node-fetch/2.6.1

A simple version bump to the latest flux 4.0.3 should resolve this vuln by bubbling down the newer versions of the transitive deps which result in node-fetch 2.6.7

https://github.com/TexteaInc/json-viewer#usage