From fc40f9634b3460384daa9dc38cfdc80ca7a766db Mon Sep 17 00:00:00 2001
From: Fabio Berger <me@fabioberger.com>
Date: Mon, 3 Jun 2019 11:34:59 +0100
Subject: [PATCH 1/2] Upgrade tar-fs dep to version without critical security
 issue

---
 yarn.lock | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 63e6f907e3..d1b76212f5 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -13278,7 +13278,7 @@ prebuild-install@^2.2.2:
     pump "^2.0.1"
     rc "^1.1.6"
     simple-get "^2.7.0"
-    tar-fs "^1.13.0"
+    tar-fs "~1.16.3"
     tunnel-agent "^0.6.0"
     which-pm-runs "^1.0.0"
 
@@ -16318,15 +16318,6 @@ tape@~2.3.2:
     resumer "~0.0.0"
     through "~2.3.4"
 
-tar-fs@^1.13.0:
-  version "1.16.0"
-  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.0.tgz#e877a25acbcc51d8c790da1c57c9cf439817b896"
-  dependencies:
-    chownr "^1.0.1"
-    mkdirp "^0.5.1"
-    pump "^1.0.0"
-    tar-stream "^1.1.2"
-
 tar-fs@~1.16.3:
   version "1.16.3"
   resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509"

From 691a3a1e72c88ef432c225b035a5fb74c86ed70d Mon Sep 17 00:00:00 2001
From: Fabio Berger <me@fabioberger.com>
Date: Mon, 3 Jun 2019 11:56:42 +0100
Subject: [PATCH 2/2] Fix security vuln by using patched versions of
 deep-extend

---
 yarn.lock | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index d1b76212f5..e3acdf098b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5658,10 +5658,6 @@ deep-extend@^0.6.0:
   version "0.6.0"
   resolved "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz#c4fa7c95404a17a9c3e8ca7e1537312b736330ac"
 
-deep-extend@~0.4.0:
-  version "0.4.2"
-  resolved "https://registry.yarnpkg.com/deep-extend/-/deep-extend-0.4.2.tgz#48b699c27e334bf89f10892be432f6e4c7d34a7f"
-
 deep-is@~0.1.3:
   version "0.1.3"
   resolved "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.3.tgz#b369d6fb5dbc13eecf524f91b070feedc357cf34"
@@ -13858,7 +13854,7 @@ rc@^1.0.1, rc@^1.1.6, rc@^1.1.7:
   version "1.2.6"
   resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.6.tgz#eb18989c6d4f4f162c399f79ddd29f3835568092"
   dependencies:
-    deep-extend "~0.4.0"
+    deep-extend "^0.6.0"
     ini "~1.3.0"
     minimist "^1.2.0"
     strip-json-comments "~2.0.1"