Just create an issue or pull request on Github.

The vulnerability has to be a part of the basic installment e.g. when install by npm install flexsearch. Every vulnerability which is included by any of the devDependencies probably won't be fixed.