Please see advisories for details:
These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Thank you for the report
^Triage: CC www/yarn maintainer and request feedback
there no CVE filled for yarn. It's a npm issue only.
(In reply to Luca Pizzamiglio from comment #2)
This looks very much like at least a related issue, given timing and nature of the fix:
I added a vulnerability record here: