CVE-2018-12556

Name of the Vulnerable Software and Affected Versions yarnpkg/website versions prior to 2018-06-05

Description The issue lies in the signature verification routine of the install.sh script, which only checks if a yarn release is signed by any key in the user's local keyring. This does not ensure the release is signed by the official yarn release key, allowing remote attackers to sign tampered packages with their own key.

Recommendations For versions prior to 2018-06-05, update to a version released after 2018-06-05 to ensure the signature verification routine correctly pins the signature to the yarn release key.