npm audit fix claims to have fixed vulnerability, but it doesn't

What I Wanted to Do

Fix the following vulnerability by running npm audit fix:

  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118 

What Happened Instead

npm audit fix reported:

updated 1 package in 1.545s
fixed 1 of 1 vulnerability in 574 scanned packages

But running npm audit reveals that the vulnerability is still there.

Running npm update eslint-utils --depth 3 actually fixed the vulnerability.

Reproduction Steps

  1. Run npm audit and see:
# Run  npm update eslint-utils --depth 3  to resolve 1 vulnerability
                                                                                
  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118                            
                                                                                


found 1 critical severity vulnerability in 574 scanned packages
  run `npm audit fix` to fix 1 of them.
  1. Run ‘npm audit fix’ and see:
updated 1 package in 1.461s
fixed 1 of 1 vulnerability in 574 scanned packages
  1. Run ‘npm audit’ and see:
# Run  npm update eslint-utils --depth 3  to resolve 1 vulnerability
                                                                                
  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118                           
                                                                                


found 1 critical severity vulnerability in 574 scanned packages
  run `npm audit fix` to fix 1 of them.

Details

Dependency versions:
@hapi/lab: 19.1.0
eslint: 4.19.1

Platform Info

$ npm --versions
{ 'pds-lc3-test-data-suite': '1.0.0',
  npm: '6.11.3',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.12',
  zlib: '1.2.11' }
$ node -p process.platform
win32