search

pa11y / pa11y-ci

Pa11y CI is a CI-centric accessibility test runner, built using Pa11y
https://pa11y.org
GNU Lesser General Public License v3.0
515 stars 63 forks source link

Upgrade async library due to CVE-2021-43138 #185

Closed nicodemuz closed 9 months ago

nicodemuz commented 2 years ago

There is a security advisory to avoid using async 2.6.3 and below, see https://avd.aquasec.com/nvd/2021/cve-2021-43138/

+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| async            | CVE-2021-43138   | HIGH     | 2.6.3             | 2.6.4, 3.2.2  | Prototype Pollution in async          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43138 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
7Ds7 commented 2 years ago

The logs for the build are no longer available but the build with this bump passes locally

danyalaytekin commented 10 months ago

Thanks @nicodemuz for your vigilance and @7Ds7 for the test! This or a more recent version will be included in pa11y-ci@3.1 and pa11y-ci@4.

danyalaytekin commented 9 months ago

Thanks again for this. Added as a co-authored commit to: