I was once in a similar situation. It was less to do with the repo not addressing security patches and more about the repo not being maintained at all for about a year.
The library in question was a core module in our model layer, and re-writing that layer to use a different package didn't seem worth the effort. I figured out where the bug was and raised a PR. But since the repo was not being maintained, no one actually got to viewing the issue and the PR.
So we quietly forked the repo, pushed it to npm with the package namespaced to our company company, ie @company-name/package-name and used the fork (with the bugfix) after that. 😄