Seems there's a few vulnerabilities that have popped up within the yarn.lock file. Notably -
WS-2018-0084
More information
high severity
Vulnerable versions: < 1.13.2
Patched version: 1.13.2
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
WS-2018-0076
More information
moderate severity
Vulnerable versions: < 0.6.0
Patched version: 0.6.0
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
WS-2018-0100
More information
moderate severity
Vulnerable versions: >= 1.0.0.1, < 1.0.6
Patched version: 1.0.6
Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator.
Seems there's a few vulnerabilities that have popped up within the yarn.lock file. Notably -
As seen here - https://hackerone.com/reports/319593
as seen here - https://github.com/request/tunnel-agent/commit /9ca95ec7219daface8a6fc2674000653de0922c0
As seen here - https://hackerone.com/reports/320166