CVE-2019-5448
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Date published : 2019-07-30
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/