[Security] Bump yarn from 1.7.0 to 1.19.0

[dependabot-preview[bot]]

Bumps yarn from 1.7.0 to 1.19.0. This update includes a security fix.

Vulnerabilities fixed

*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects yarn** > Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. > > Affected versions: < 1.17.3

Release notes

*Sourced from [yarn's releases](https://github.com/yarnpkg/yarn/releases).* > ## v1.19.0 > No release notes provided. > > ## v1.18.0 > No release notes provided. > > ## v1.17.3 > No release notes provided. > > ## v1.17.2 > No release notes provided. > > ## v1.17.1 > No release notes provided. > > ## v1.17.0 > No release notes provided. > > ## v1.16.0 > No release notes provided. > > ## v1.15.2 > No release notes provided. > > ## v1.15.1 > No release notes provided. > > ## v1.15.0 > No release notes provided. > > ## v1.14.0 > No release notes provided. > > ## v1.13.0 > - Implements a new `package.json` field: `peerDependenciesMeta` > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Adds an `optional` settings to `peerDependenciesMeta` to silence missing peer dependency warnings > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Implements `yarn policies set-version [range]`. Check [the documentation]() for usage & tips. > > [#6673](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6673) - [**Maël Nison**](https://twitter.com/arcanis) > > - Fixes a resolution issue when a package had an invalid `main` entry > > [#6682](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6682) - [**Maël Nison**](https://twitter.com/arcanis) > > ... (truncated)

Changelog

*Sourced from [yarn's changelog](https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md).* > ## 1.19.0 > > **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. > > - Fixes a potential vulnerability regarding how the build artifacts are stored > > Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.18.0 > > - Suggests using the Yarn 2 development trunk on PnP-enabled projects > > [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis) > > - Preserves linked packages when calling `yarn create` > > [#7543](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7543) - [**Nick McCurdy**](https://github.com/nickmccurdy) > > - Fixes the offline mirror filenames when using Verdaccio > > [#7499](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7499) - [**xv2**](https://github.com/xv2) > > - Fixes using `link:.` to refer to the package folder > > [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis) > > - Runs the `prepare` lifecycle of git dependencies even if `NODE_ENV` is set to `production`. > > [#7398](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7398) - [**John Firebaugh**](https://github.com/jfirebaugh) > > - Fixes the `postversion` lifecycle method not being called when using `--no-git-tag-version`. > > [#7154](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7154) - [**Hampus Tågerud**](https://github.com/hampustagerud) > > - Ignores potentially large vscode keys in package.json to avoid E2BIG errors. > > [#7419](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7419) - [**Eric Amodio**](https://twitter.com/eamodio) > > - Enforces https for the Yarn and npm registries. > > [#7393](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7393) - [**Maël Nison**](https://twitter.com/arcanis) > > - Adds support for reading `yarnPath` from v2-produced `.yarnrc.yml` files. > > [#7350](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7350) - [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.17.0 > > - Adds prereleases flags and prerelease identifier to `yarn version`. > > ... (truncated)

Commits

- [`c3d256f`](https://github.com/yarnpkg/yarn/commit/c3d256fcf641de4fe8d4d6034a2b046fafae30c0) v1.19.0 - [`34efd23`](https://github.com/yarnpkg/yarn/commit/34efd23305b9da701aae96f29302b71a5a0ea2e6) Adds a check for the hash too - [`fa74645`](https://github.com/yarnpkg/yarn/commit/fa746451eeae79ec35e87bbec14576d6831984fe) Validation fix ([#7582](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7582)) - [`29a8c58`](https://github.com/yarnpkg/yarn/commit/29a8c583179ec77b5fdcdd3ce348bbe08ecd2abf) Fixes the problem another way - [`9322e76`](https://github.com/yarnpkg/yarn/commit/9322e76fba6a83696ec7104c1af3111ab58a0fff) Fixes tests - [`431a9e9`](https://github.com/yarnpkg/yarn/commit/431a9e96405f43a60b3ffa3034921ec8d321a403) Fixes flow linting - [`b29af01`](https://github.com/yarnpkg/yarn/commit/b29af010c6be5a6a981c5feb6cfca7d31254d529) Update CHANGELOG.md - [`061a3d8`](https://github.com/yarnpkg/yarn/commit/061a3d81d410a6803220df3dcef20effee7852bb) Update CHANGELOG.md - [`a14fc43`](https://github.com/yarnpkg/yarn/commit/a14fc439ec02445aa59fa2e4a7e382061a424be5) 1.19.0-0 - [`c08d0e3`](https://github.com/yarnpkg/yarn/commit/c08d0e31d769bf18680f86f0ffd8efcc56fb4c61) v1.18.0 - Additional commits viewable in [compare view](https://github.com/yarnpkg/yarn/compare/v1.7.0...v1.19.0)

Maintainer changes

This version was pushed to npm by [danbuild](https://www.npmjs.com/~danbuild), a new releaser for yarn since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[dependabot-preview[bot]]

Superseded by #101.