Update "async": Security vulnerability, prototype pollution

jakejs / jake

JavaScript build tool, similar to Make or Rake. Built to work with Node.js.

http://jakejs.com

Apache License 2.0

1.96k stars 190 forks source link

Update "async": Security vulnerability, prototype pollution #408

Closed klassm closed 2 years ago

klassm commented 2 years ago

Hi there,

there is a security vulnerability in the old async version, which is currently in use (https://github.com/advisories/GHSA-fwr7-v2mv-hh25). Would id be possible to update async to the latest version? This is a jump however from 0.9.x to 3.x.

Thanks Matthias

huineng commented 2 years ago

https://github.ibm.com/advisories/GHSA-fwr7-v2mv-hh25 high severity Vulnerable versions: < 3.2.2 Patched version: 3.2.2 A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

jacovinus commented 2 years ago

fix waiting to be merged at https://github.com/jakejs/jake/pull/409

nopeless commented 2 years ago

subscribed so I can update ejs when its merged

GoetzGoerisch commented 2 years ago

Fixed with #411! @mde can we get a new release please?

jaishirole commented 2 years ago

We too are waiting for the release with fix of #411 to be available.

raejoonee commented 2 years ago

Can't wait to upgrade to new release version with the fix of #411

VamseeInala commented 2 years ago

Waiting for the fix of #411 to be released

JackHowa commented 2 years ago

Hopefully this will be released! https://github.com/jakejs/jake/pull/412 cc @mde

shreya410 commented 2 years ago

Waiting for the async audit fix urgently, our production deployment is blocked because of this. Request to kindly expedite.

alert-debug commented 2 years ago

@shreya410 I share your sense of urgency, but I'm not sure that requesting that the work be expedited is what's needed here. Instead it's a good time to reflect on the fact that so many talented people are choosing to devote their time to produce this useful software and make it freely available to the world. It might be possible to expedite it if more people provided funding to support that development, though.

shreya410 commented 2 years ago

Absolutely! I deeply appreciate everyone's contributions here. Apologies if this sounded ungrateful.

mde commented 2 years ago

Apologies for the delay on this. Pushed to NPM, v10.8.5.

Re. funding, the the suggestions are appreciated, but I have a hard time imagining how donations for a project like this would pay anything resembling a full-time developer's salary.

Again, apologies for the delay pushing this out. I'll do my best to be a little more on top of these arbitrary bumps that are required to satisfy automated security audits.

And a quick reminder, I will delete posts on threads that I consider needlessly belligerent.

playground commented 2 years ago

Same here, Getting

async <2.6.4 Severity: high Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 fix available via npm audit fix --force Will install prompt@0.1.7, which is a breaking change node_modules/winston/node_modules/async winston 0.4.0 - 3.0.0-rc6 Depends on vulnerable versions of async node_modules/winston prompt >=0.1.8 Depends on vulnerable versions of winston node_modules/prompt

3 high severity vulnerabilities

mde commented 2 years ago

This has been fixed. You need to update Jake.