Severe Security Vulnerability In Async Dependency Version 3.x

[anthony-langford]

Is this a support request? No.

Describe the bug There is a security vulnerability in the async dependency. Version 7.0.0 of node-server-sdk currently has a dependency on async version 3.0.0 which is considered a high security risk according to NIST.

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Updating the async dependency to version 3.2.2 resolves the security issue.

To reproduce N/A

Expected behavior N/A

Logs N/A

SDK version N/A

Language version, developer tools N/A

OS/platform N/A

Additional context https://nvd.nist.gov/vuln/detail/CVE-2021-43138

[louis-launchdarkly]

Hello @anthony-langford, thank you for the report, we will work on this.

Filed internally as 187508.

[louis-launchdarkly]

Hello @anthony-langford, we have just released Node Server SDK 7.0.1, which should address this issue. Please feel free to open an issue with us if you find something else.

[anthony-langford]

Thanks for the quick resolution @louis-launchdarkly 🙏