Currently failing basic vulnerability due to transitive dependencies therefore vastly limiting its usability!

[mandarkslab]

As an Enterprise customer, I expect libraries which are maintained, managed and endorsed by Adobe to meet basic vulnerability scanning standards. This library in its current form introduces CVE's into organizations.

Actual Behavior: 2 medium severity vulnerabilities have indeed been detected.

• SNYK-JS-INFLIGHT-6095116
• SNYK-JS-TAR-6476909

Reproduce Scenario (including but not limited to)

Steps to reproduce can be found on Synk Security Vulnerability Database: https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

Platform and Version

N/A

Sample Code that illustrates the problem

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Logs taken while reproducing problem

https://github.com/isaacs/inflight/issues/5