- run `yarn audit`; the output from `yarn audit` does say for me:
>0 vulnerabilities found - Packages audited: 1
can't figure out why there are 0 vulnerabilities reported: the dependency _dompurify_ is vulnerable at versions minor than `2.0.3`, as from [CVE here](https://nvd.nist.gov/vuln/detail/CVE-2019-16728). Was able to replicate the exploit, following steps [as described here](https://research.securitum.com/dompurify-bypass-using-mxss/).
Other tools, `Snyk` in this case, warned for the vulnerability.
There is anything that I am missing, about why `yarn audit` is not warning for the vulnerability above?
Thank you.
Bug report for Yarn audit version
1.17.3
How to replicate it
my-app
my-app
package.json
:ls
does output one file calledpackage.json
inside the folderyarn install
(to install the dependency and createyarn.lock
)cat yarn.lock
, should return this output:dompurify@^0.9.0: version "0.9.0" resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-0.9.0.tgz#470f9dd95657a644a84be1ed950677946259d055" integrity sha1-Rw+d2VZXpkSoS+HtlQZ3lGJZ0FU=