Security vulnerability in dependency of bem (via bem-config which is deprecated)

[scott-ln]

I have a project using bem. Running npm audit produces this report:

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve
          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        Sandbox Breakout / Arbitrary Code Execution
  Package         static-eval
  Patched in      >=2.0.0
  Dependency of   bem [dev]
  Path            bem > bem-tools-create > bem-config > jsonpath > static-eval
  More info       https://npmjs.com/advisories/548

  Moderate        Sandbox Breakout / Arbitrary Code Execution
  Package         static-eval
  Patched in      >=2.0.2
  Dependency of   bem [dev]
  Path            bem > bem-tools-create > bem-config > jsonpath > static-eval
  More info       https://npmjs.com/advisories/758

found 2 moderate severity vulnerabilities in 1834575 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

bem-config was deprecated some time ago and bem has not had a release in 3 years. How can I resolve these vulnerabilities, please? I've tried both npm install --save-dev static-eval@2.0.3 and npm install --save-dev jsonpath@1.0.2 but that didn't make any difference. Thank you.