yarn-audit-fix incorrectly reports "Audit check found no issues"

[aaronmccall]

When I run npx yarn-audit-fix from the root of my project I see the following output:

~/Projects/phytochrome-web-ui [fix/230530_audit-deps-updates L|✚ 2⚑ 4] 
13:37 $ npx yarn-audit-fix
Resolve bins
Runtime digest

  isMonorepo false
  bins 
    yarn yarn
    npm npm
  
  versions 
    node v16.16.0
    npm 8.11.0
    yarn 1.22.19
    yaf 9.3.10
    yafLatest 9.3.10
  
  temp /Users/aaronmccall/Projects/phytochrome-web-ui/node_modules/.cache/yarn-audit-fix/735b3b381d052b6a3384e038fcde4204
  cwd /Users/aaronmccall/Projects/phytochrome-web-ui
  flags 
    flow patch
    npm-path system
    dry-run true
  

Verifying package structure...
Preparing temp assets...
Patching yarn.lock with audit data...
invoke yarn audit --json
Audit check found no issues
Installing deps update...
invoke yarn install --update-checksums
yarn install v1.22.19
[1/4] 🔍  Resolving packages...
warning Resolution field "[email protected]" is incompatible with requested version "ramda@^0.27.2"
warning Resolution field "[email protected]" is incompatible with requested version "ramda@^0.27.1"
success Already up-to-date.
✨  Done in 0.52s.
Done

When I run yarn audit, I see (snipped for brevity):

41 vulnerabilities found - Packages audited: 1687
Severity: 6 Moderate | 34 High | 1 Critical
✨  Done in 2.08s.

P.S. I updated node/npm to v18.16.0/v9.5.1 and had the same result.

[antongolub]

Hey, @aaronmccall,

Could you attach a minimal pkg.json and yarn.lock which reproduces the isseu?

[aaronmccall]

Sure thing, @antongolub. See attached.
package-redacted.json.txt
yarn.lock.txt

[stereodenis]

same issue for me