mhamann
commented
2 years ago @bmnidhin this PR doesn't actually fix a security vulnerability, since the ^ in the package.json file already indicates that the latest minor version of async 3.x should be installed. This PR would simply set the minimum version to 3.2.3, which is a decent idea but doesn't actually fix the vulnerability as you describe it.
nconf v0.12 is already published to npm to fix this issue (although nconf was never actually vulnerable to the problem in the first place).
Fixes security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-43138