yarn is vulnerable to unauthorized file overwrite. The vulnerability exists as it was possible to create symlinks to files, using the value of bin, to access files out of the node_modules folder.
access.redhat.com/errata/RHSA-2020:0475
blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
github.com/yarnpkg/yarn/commit/cefe4c529816f94cfefbb78c1b0d16d7da895b64
github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
github.com/yarnpkg/yarn/pull/7755
lists.fedoraproject.org/archives/list/[email protected]/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
lists.fedoraproject.org/archives/list/[email protected]/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/