global installations failing due to flat-map-stream vulnerability

[Larkenx]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
When installing any global dependency that happens to pull in the event-stream dependency, yarn fails to install the dependency since the malicious event-stream 3.3.6 package and flat-map-stream 0.1.2 packages don't exist in the yarn registry. npm properly finds an updated, not malicious version of event-stream, but yarn fails every time.

More info on event-stream vulnerability https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

Example:

[steven@work yeoman-workspace]$ yarn global add generator-spring-boot-microservice
yarn global v1.13.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/flatmap-stream/-/flatmap-stream-0.1.2.tgz: Request failed \"404 Not Found\"".

What is the expected behavior?
yarn should be able to install these global dependencies like npm does but without the malicious / pulled packages

Please mention your node.js, yarn and operating system version.
macOS Mojave 10.14.5

[steven@work yeoman-workspace]$ npm -v
6.4.1
[steven@work yeoman-workspace]$ yarn -v
1.13.0
[steven@work yeoman-workspace]$ node -v
v10.15.3
[steven@work yeoman-workspace]$ 

[DanielRuf]

Hi @Larkenx,

flatmap-stream-0.1.2.tgz:

npmjs has removed all releases. You may have a lockfile which is used. Please try to update the affected dependencies and inform the affected package owners.

https://www.npmjs.com/package/flatmap-stream?activeTab=versions