search

http-party / node-portfinder

A simple tool to find an open port or domain socket on the current machine
https://github.com/http-party/node-portfinder
Other
882 stars 95 forks source link

Update "async" dependency #126

Closed chergott closed 2 years ago

chergott commented 2 years ago

portfinder is currently using async@^2.6.2 which has a known Prototype Pollution vulnerability

async@^3.2.2 addresses this vulnerability

Additional information: NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-43138 Snyk: https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827

fhljys commented 2 years ago

Any update?

SymbioticKilla commented 2 years ago

@eriktrom Any chance to get this fixed? Thanks!

alexander-akait commented 2 years ago

@eriktrom Friendly ping, can you look at this, thanks?

ucsbricks commented 2 years ago

@eriktrom I would really appreciate if you could fix this. Thanks.

kiskoza commented 2 years ago

There's a PR to backport the fix to the 2.x branch on the async repo: https://github.com/caolan/async/pull/1828

pstephensSQ commented 2 years ago

Team, any status on this fix?

fhljys commented 2 years ago

I think Kiskoza's comment already addressed this. You just need to update the patch version.

mat007 commented 2 years ago

Dependabot opened https://github.com/http-party/node-portfinder/issues/126

eriktrom commented 2 years ago

async updated in https://github.com/http-party/node-portfinder/commit/ccdb3b77406082b0fbcdeb0869f2760bb7465c6b and https://github.com/http-party/node-portfinder/commit/10d97710a3b31675d9df4c9618dafcd94d2ec73a