npm audit fix doesn't help fix it

npm dependencies is only used for tests, it is not used directly in the smart contract code.

To check that is doesn't affect the build, you can build the contract by raw func (compile.sh) and get the same hash of code.