Update "async": Security vulnerability, prototype pollution

[klassm]

Hi there,

there is a security vulnerability in the old async version, which is currently in use (GHSA-fwr7-v2mv-hh25). Would id be possible to update async to the latest version? This is a jump however from 0.9.x to 3.x.

Thanks
Matthias

[huineng]

https://github.ibm.com/advisories/GHSA-fwr7-v2mv-hh25
high severity
Vulnerable versions: < 3.2.2
Patched version: 3.2.2
A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

[jacovinus]

fix waiting to be merged at #409

[nopeless]

subscribed so I can update ejs when its merged

[GoetzGoerisch]

Fixed with #411!
@mde can we get a new release please?

[jaishirole]

We too are waiting for the release with fix of #411 to be available.

[raejoonee]

Can't wait to upgrade to new release version with the fix of #411

[VamseeInala]

Waiting for the fix of #411 to be released

[JackHowa]

Hopefully this will be released! #412 cc @mde

[shreya410]

Waiting for the async audit fix urgently, our production deployment is blocked because of this. Request to kindly expedite.

[alert-debug]

@shreya410 I share your sense of urgency, but I'm not sure that requesting that the work be expedited is what's needed here. Instead it's a good time to reflect on the fact that so many talented people are choosing to devote their time to produce this useful software and make it freely available to the world. It might be possible to expedite it if more people provided funding to support that development, though.