Posted Jul 12, 2019 by Maël Nison We’ve been made aware of a potential attack vector in the way some data are stored in the lockfile. We recommend to upgrade Yarn to the latest 1.17.3 release as soon as you get the chance. We also recommend you to edit your lockfiles to replace any reference to the http: protocol: What happened? The Yarn registry is just a DNS alias to the npm registry. For a few