Vulnerability in async dependency

joeferner / node-java

Bridge API to connect with existing Java APIs.

MIT License

1.88k stars 283 forks source link

Vulnerability in async dependency #577

Closed RakhimAimaganbetov closed 5 months ago

RakhimAimaganbetov commented 1 year ago

Guys, can you always keep the async dependency up to date?

Or can you use a higher version of async than 2.6.3 in the next release, please? We would like to avoid npm audit warnings.

Thank you in advance!

AsifImam commented 1 year ago

JFROG vulnerability scan also picked this up with following info In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. Request to publish a new package with this vulnerability fixed. Thanks.

RakhimAimaganbetov commented 1 year ago

The developers of "async" confirm that the vulnerability has been already fixed on their side, and ask you to update the version of the dependencies.

Can I ask you to publish a new release with an update of the "async" dependency? Thanks!

RakhimAimaganbetov commented 5 months ago

Here is a new node-java version which contains a fix for the issue described above.