mhamann
commented
2 years ago This should be possible, though there are breaking changes in async be that make it less than straightforward.
Closed grant-g closed 2 years ago
mhamann
commented
2 years ago This should be possible, though there are breaking changes in async be that make it less than straightforward.
grant-g
commented
2 years ago @mhamann Thank-you for looking into this. I'm sure this wasn't a task you had planned in the short-term, but there are likely many apps out there that need this update in order to stay compliant. If you run into blockers/delays please let us know here, thanks again!
mhamann
commented
2 years ago The necessary changes have been merged into v0.x and will likely be released as v0.12 this week after some final testing.
PaulAnnekov
commented
2 years ago JFYI, nconf looks like not affected, because it's not using mapValues async method which is vulnerable according to CVE.
mhamann
commented
2 years ago Thanks for the insight, @PaulAnnekov.
v0.12.0 has been released to address the CVE
nconf release 0.11.3 has dependency
"async": "^1.4.0", which cannot satisfy CVE-2021-43138. A new release of nconf is needed that brings inasync 3.2.2or newer.The guidance for apps that depend on packages like nconf is to resolve such findings within 15 days whenever possible. It would be very helpful if this can be resolved quickly, to give downstream apps an opportunity to adopt the fix in good time. Thank-you in advance!