yarn audit does not throw warnings for known vulnerabilities in package.json

[lzzluca]

Bug report for Yarn audit version 1.17.3

How to replicate it

• create a folder with any name, for example my-app
• cd my-app
• paste this as content for a file to be called package.json:

  {
  "name": "my-app",
  "version": "0.1.0",
  "dependencies": {
  "dompurify": "^0.9.0"
  }
  }

• so now, ls does output one file called package.json inside the folder
• run yarn install (to install the dependency and create yarn.lock)
• run cat yarn.lock, should return this output:

  
  # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
  # yarn lockfile v1

dompurify@^0.9.0: version "0.9.0" resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-0.9.0.tgz#470f9dd95657a644a84be1ed950677946259d055" integrity sha1-Rw+d2VZXpkSoS+HtlQZ3lGJZ0FU=

- run `yarn audit`; the output from `yarn audit` does say for me:
>0 vulnerabilities found - Packages audited: 1

can't figure out why there are 0 vulnerabilities reported: the dependency _dompurify_ is vulnerable at versions minor than `2.0.3`, as from [CVE here](https://nvd.nist.gov/vuln/detail/CVE-2019-16728). Was able to replicate the exploit, following steps [as described here](https://research.securitum.com/dompurify-bypass-using-mxss/).

Other tools, `Snyk` in this case, warned for the vulnerability.

There is anything that I am missing, about why `yarn audit` is not warning for the vulnerability above?

Thank you.

[lzzluca]

Experiencing the same with the dependency react-pdf@^3.0.5, installed version is 3.0.6.

Snyk warns about this vulnerability, yarn auditdoes not.