Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix prototype pollution vulnerability #1828

Merged
merged 1 commit into from
Apr 13, 2022

Conversation

mriedem
Copy link

@mriedem mriedem commented Apr 8, 2022

(cherry picked from commit e1ecdbf)

Conflicts:
lib/internal/iterator.js
test/mapValues.js

NOTE(mriedem): The conflicts are due to:

  • e475117 for iterator.js;
    resolution was trivial
  • bd86f42 for mapValues.js;
    resolution was just copying the test change into the old
    test file before it was moved

This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.

(cherry picked from commit e1ecdbf)

Conflicts:
  lib/internal/iterator.js
  test/mapValues.js

NOTE(mriedem): The conflicts are due to:

- e475117 for iterator.js;
  resolution was trivial
- bd86f42 for mapValues.js;
  resolution was just copying the test change into the old
  test file before it was moved

This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.
@mriedem
Copy link
Author

mriedem commented Apr 8, 2022

Feel free to ignore/close this if you want. For the project I cared about we just removed the dependency on async (it was only using doWhilst and we were able to just re-write that code to use a simple do...while).

@richgt
Copy link

richgt commented Apr 11, 2022

Would love to see this get merged and released as a 2.x patch. Ember.js relies on this library, but is incompatible with 3.x. Let us know if there's anything we can do to help get this merged.

@alexweininger
Copy link

Us over at https://github.com/microsoft/vscode-azure-account would be very grateful if this fix could get merged and released as a 2.x patch as well!

Currently cannot update to 3.x since async is a transient dependency.

@osdnk
Copy link

osdnk commented Apr 13, 2022

I know this is crazy, but what's the fix for 1.5.x?

@FrederikBolding
Copy link

I know this is crazy, but what's the fix for 1.5.x?

Is mapValues even included in the older versions? I can't seem to find it. And if not, is there no vuln in the older versions?

@hargasinski hargasinski merged commit 8f7f903 into caolan:2.x Apr 13, 2022
@hargasinski
Copy link
Collaborator

Fixed in v2.6.4!

@aearly could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package.

@mriedem
Copy link
Author

mriedem commented Apr 14, 2022

Fixed in v2.6.4!

Thank you!

@mriedem mriedem deleted the CVE-2021-43138-2.x-backport branch April 14, 2022 13:52
@aearly
Copy link
Collaborator

aearly commented Apr 15, 2022 via email

@hargasinski
Copy link
Collaborator

Published async-es v2.6.4, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants