Notice the fracture in the vulnerability path below:

• @pnpm/lockfile-file has a dependency on @zkochan/js-yaml, so the latest version (0.0.6) is installed. This dependency is aliased as js-yaml.
• When running yarn audit the alias is ignored by Yarn, and we get back vulnerabilites for js-yaml@0.0.6 instead. That specific package version is not actually installed.
• We do, however, have js-yaml@3.14.1 installed as a dependency for @yarnpkg/parsers. That node gets wrongly labeled as a vulnerability, and looks disconnected from his path.
• Reproduce by running yarn audit in this repo's root.

This issue is stale because it has been open for 30 days with no activity.

This issue was closed because it has been inactive for 14 days since being marked as stale.