node-java icon indicating copy to clipboard operation
node-java copied to clipboard
verified publisher icon joeferner

Vulnerability in async dependency

Open RakhimAimaganbetov opened this issue 2 years ago • 2 comments

Guys, can you always keep the async dependency up to date?

Or can you use a higher version of async than 2.6.3 in the next release, please? We would like to avoid npm audit warnings.

Thank you in advance!

RakhimAimaganbetov avatar Sep 05 '23 09:09 RakhimAimaganbetov

JFROG vulnerability scan also picked this up with following info In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. Request to publish a new package with this vulnerability fixed. Thanks.

AsifImam avatar Sep 06 '23 18:09 AsifImam

The developers of "async" confirm that the vulnerability has been already fixed on their side, and ask you to update the version of the dependencies.

Can I ask you to publish a new release with an update of the "async" dependency? Thanks!

RakhimAimaganbetov avatar Sep 12 '23 19:09 RakhimAimaganbetov

Here is a new node-java version which contains a fix for the issue described above.

RakhimAimaganbetov avatar Jun 19 '24 08:06 RakhimAimaganbetov