Installing NextJS with Tailwind using NPM shows me 3 vulnerabilities while YARN doesn't. why?

Question

Installing Nextjs should be an out of the box solution (it shouldn't come with vulnerabilities) so why is it that when I install it using npm it tells me that there are 3 vulnerabilities while with yarn it does not?

the vulnerability using npm is due to a package called node-fetch, for some reason it installs version 2.6.1 rather than 2.6.7. to remove the vulnerability message I'd manually have to update the package.