It seems that this little paragraph did not catch anyone’s attention, so I am raising it again, to steer the conversation to discuss the following: if the yarn audit reports security violations somewhere deep in my app’s dependency chain, how can I address it other than sending a message to the offending module maintainer, asking to cause that “sub-chain” in a way to make the violation reported by yarn audit go away.
I do not know enough about yarn to propose just updating the version of immer to fit the report stating that it is updated in version >= 8.0.1 (see Prototype Pollution in immer · CVE-2020-28477 · GitHub Advisory Database · GitHub advisory.
There ought to be a better solution for such my-app local patching, as this would soon become unwieldy.