search

nfriedly / node-bestzip

Provides a `bestzip` command that uses the system `zip` if avaliable, and a Node.js implimentation otherwise.
MIT License
80 stars 16 forks source link

Npm audit failure due to async dependency #58

Closed citypaul closed 2 years ago

citypaul commented 2 years ago

Hi there,

We're currently getting a failure in our pipeline due to a security issue with the async library.

Here's the failure from our CI output:

❯ yarn audit
└─ async: 1.5.2
   ├─ Issue: Prototype Pollution in async
   ├─ URL: https://github.com/advisories/GHSA-fwr7-v2mv-hh25
   ├─ Severity: high
   ├─ Vulnerable Versions: <3.2.2
   ├─ Patched Versions: >=3.2.2
   ├─ Via: bestzip, ejs
   └─ Recommendation: Upgrade to version 3.2.2 or later

I see there's a dependabot PR already open for this here: https://github.com/nfriedly/node-bestzip/pull/57

Would it be possible to merge this PR and do a new release please?

nfriedly commented 2 years ago

Done! https://www.npmjs.com/package/bestzip