Security concerns based on yarn audit

[aval13]

Running yarn audit on the code produces a worrying output:
1212 vulnerabilities found - Packages audited: 1790
Severity: 48 Low | 161 Moderate | 1003 High
Done in 8.68s.

Expected Behavior

Not report any vulnerability or only a few Lows (maybe).

Current Behavior

1003 High vulnerabilities identified.
Out of all these, 12 CVEs reported,
https://www.npmjs.com/advisories/1603
https://www.npmjs.com/advisories/1654
https://www.npmjs.com/advisories/1673
https://www.npmjs.com/advisories/1678
https://www.npmjs.com/advisories/1679
https://www.npmjs.com/advisories/1753
https://www.npmjs.com/advisories/1762
https://www.npmjs.com/advisories/1770
https://www.npmjs.com/advisories/1771
https://www.npmjs.com/advisories/1779
https://www.npmjs.com/advisories/1780
https://www.npmjs.com/advisories/1781

Possible Solution

Maybe update the version requirements for packages so no vulnerable versions are pulled in?
Also maybe cut on the required modules (split the list into dev and production, now all are production required)?
Downloading 1567 modules seems a bit excessive (although yarn audit reports 1790 packages).
Linking dependencies step makes checks 97856 checks.

Steps to Reproduce

Run:
yarn audit
or
yarn audit --modules-folder /opt/sensu/yarn/node_modules
based on how yarn install was run.

Context

I am trying NOT to deploy a vulnerabile application in a production environment.

Your Environment

• Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): 6.4.0 (not relevant in this context)
• Installation method (packages, binaries, docker etc.): yarn and nodejs installed from official upstream debs
• Operating System and version (e.g. Ubuntu 14.04): Debian 10
• Browser used: not relevant in this context

Yarn version:

# yarn --version
1.22.5
# apt-cache policy yarn | head
yarn:
  Installed: 1.22.5-1
  Candidate: 1.22.5-1
  Version table:
 *** 1.22.5-1 500
        500 https://dl.yarnpkg.com/debian stable/main amd64 Packages
        500 https://dl.yarnpkg.com/debian stable/main all Packages
        100 /var/lib/dpkg/status
     1.22.4-1 500
        500 https://dl.yarnpkg.com/debian stable/main amd64 Packages
[..CUT..]

[aval13]

8 affected packages by High (--level high) vulnerabilities:
│ Package │ immer │
│ Package │ lodash │
│ Package │ prismjs │
│ Package │ tar │
│ Package │ trim-newlines │
│ Package │ ua-parser-js │
│ Package │ url-parse │
│ Package │ y18n │

PR #379 would fix 1 of them, 7 remaining.

9 packages affected by Moderate (--level moderate produces 17 packages output).
PR #380 would fix one of them.