npm audit (and Github) find this vulnerability:
# Run npm update macaddress --depth 5 to resolve 1 vulnerability
Critical Command Injection
Package macaddress
Dependency of css-loader [dev]
Path css-loader > cssnano > postcss-filter-plugins > uniqid >
macaddress
More info https://nodesecurity.io/advisories/654
Not only does yarn audit not find this vulnerability, yarn why isn't aware of such a dependency:
> yarn why macaddress
yarn why v1.12.3
[1/4] Why do we have the module "macaddress"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.66s
It also doesn't find uniqid however it does find postcss-filter-plugins.
Can anybody explain why yarn and npm seem to have a different idea on what's in the dependency tree?
Yarn audit and npm audit, both works based on their locked file, package-lock.json for npm and yarn.lock for yarn.
If you want the same results, then both the files should be updated. You need to run both npm install and yarn install commands to get updated lock files.
At present, it looks like only one of them is updated and the other is outdated.