It says there is still one issue. But when running it locally again it shows to me:
# npm audit === npm audit security report === # Run npm update hosted-git-info --depth 7 to resolve 1 vulnerability Moderate Regular Expression Denial of Service Package hosted-git-info Dependency of stylelint-config-wikimedia [dev] Path stylelint-config-wikimedia > stylelint > meow > read-pkg-up > read-pkg > normalize-package-data > hosted-git-info More info https://npmjs.com/advisories/1677 found 1 moderate severity vulnerability in 599 scanned packages run `npm audit fix` to fix 1 of them. # npm audit fix updated 1 package in 3s 65 packages are looking for funding run `npm fund` for details fixed 1 of 1 vulnerability in 599 scanned packages # npm audit === npm audit security report === found 0 vulnerabilities in 599 scanned packages
That looks like an issue with npm audit not doing all possible fixes.
In this package-lock.json the package hosted-git-info is with version 3.0.7 => 3.0.8 (directly) and 2.8.9 => 2.8.9 as dependency of read-pkg
When looking at other extensions with stylelint-config-wikimedia there is the same problem.