search

caolan / async

Async utilities for node and the browser
http://caolan.github.io/async/
MIT License
28.18k stars 2.41k forks source link

Fix prototype pollution vulnerability #1828

Closed mriedem closed 2 years ago

mriedem commented 2 years ago

(cherry picked from commit e1ecdbf79264f9ab488c7799f4c76996d5dca66d)

Conflicts: lib/internal/iterator.js test/mapValues.js

NOTE(mriedem): The conflicts are due to:

This is a 2.x series backport for https://nvd.nist.gov/vuln/detail/CVE-2021-43138.

mriedem commented 2 years ago

Feel free to ignore/close this if you want. For the project I cared about we just removed the dependency on async (it was only using doWhilst and we were able to just re-write that code to use a simple do...while).

richgt commented 2 years ago

Would love to see this get merged and released as a 2.x patch. Ember.js relies on this library, but is incompatible with 3.x. Let us know if there's anything we can do to help get this merged.

alexweininger commented 2 years ago

Us over at https://github.com/microsoft/vscode-azure-account would be very grateful if this fix could get merged and released as a 2.x patch as well!

Currently cannot update to 3.x since async is a transient dependency.

osdnk commented 2 years ago

I know this is crazy, but what's the fix for 1.5.x?

FrederikBolding commented 2 years ago

I know this is crazy, but what's the fix for 1.5.x?

Is mapValues even included in the older versions? I can't seem to find it. And if not, is there no vuln in the older versions?

hargasinski commented 2 years ago

Fixed in v2.6.4!

@aearly could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package.

mriedem commented 2 years ago

Fixed in v2.6.4!

Thank you!

aearly commented 2 years ago

@hargasinski you should be added as a maintainer. Thanks for handling this, I've been incredibly busy the past few weeks.

On Wed, Apr 13, 2022, 4:20 PM Hubert Argasinski @.***> wrote:

Fixed in v2.6.4!

@aearly https://github.com/aearly could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package.

— Reply to this email directly, view it on GitHub https://github.com/caolan/async/pull/1828#issuecomment-1098568048, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEII3XTM566JXAID5Q3LPLVE5JERANCNFSM5S4WO32A . You are receiving this because you were mentioned.Message ID: @.***>

hargasinski commented 2 years ago

Published async-es v2.6.4, thanks!