@slack/client dependency "async" has a security vulnerability

[ReubenUnruh]

Description

npm audit wants me to fix the security issue Prototype Pollution in async

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install hubot@2.13.2, which is a breaking change
node_modules/@slack/client/node_modules/async

├─┬ hubot-slack@4.10.0
│ └─┬ @slack/client@3.16.1-sec.2
│   ├── async@1.5.2
│   └─┬ winston@2.4.5
│     └── async@1.0.0

What type of issue is this? (place an x in one of the [ ])

• [ x] bug
• [ ] enhancement (feature request)
• [ ] question
• [ ] documentation related
• [ ] testing related
• [ ] discussion

Requirements (place an x in each of the [ ])

• [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [ x] I've read and agree to the Code of Conduct.
• [x ] I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Reproducible in:

hubot-slack version: 4.10.0

node version: v16.13.2

OS version(s): Windows 10

Steps to reproduce:

1. Install hubot-slack v4.10.0

Expected result:

No audit suggestions

Actual result:

Audit suggests rolling back to hubot 2.x

[jimmywarting]

@slack/client is also now a legacy... maybe you should switch to something else?

[joeyguerra]

I'm in the process of removing the async module from Hubot and have also created a new Slack adapter if you're interested in that route.