Composer audit found false positive security vunlerability

Problem/Motivation

When you run command composer audit (available with composer > 2.4) on a drupal project which have required vppr, the command find a security vulnerability advisory on package drupal/vppr.

I think this because of SA-CONTRIB-2022-016 → which affect all versions. But in my opinion, 8.x-1.2 is not concerned (all previous releases are tagged "Insecure"), am I right ?

Steps to reproduce

Install new drupal project with composer
Require vppr
Run command composer audit