-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix prototype pollution vulnerability #1828
Conversation
(cherry picked from commit e1ecdbf) Conflicts: lib/internal/iterator.js test/mapValues.js NOTE(mriedem): The conflicts are due to: - e475117 for iterator.js; resolution was trivial - bd86f42 for mapValues.js; resolution was just copying the test change into the old test file before it was moved This is a 2.x series backport for https://nvd.nist.gov/vuln/detail/CVE-2021-43138.
Feel free to ignore/close this if you want. For the project I cared about we just removed the dependency on async (it was only using |
Would love to see this get merged and released as a 2.x patch. Ember.js relies on this library, but is incompatible with 3.x. Let us know if there's anything we can do to help get this merged. |
Us over at https://github.com/microsoft/vscode-azure-account would be very grateful if this fix could get merged and released as a 2.x patch as well! Currently cannot update to 3.x since async is a transient dependency. |
I know this is crazy, but what's the fix for 1.5.x? |
Is |
Fixed in @aearly could you add me to |
Thank you! |
@hargasinski you should be added as a maintainer. Thanks for handling this,
I've been incredibly busy the past few weeks.
…On Wed, Apr 13, 2022, 4:20 PM Hubert Argasinski ***@***.***> wrote:
Fixed in v2.6.4!
@aearly <https://github.com/aearly> could you add me to async-es on npm?
I was only able to publish async proper and not async-es as I don't have
permission to publish that package.
—
Reply to this email directly, view it on GitHub
<#1828 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEII3XTM566JXAID5Q3LPLVE5JERANCNFSM5S4WO32A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Published async-es |
(cherry picked from commit e1ecdbf)
Conflicts:
lib/internal/iterator.js
test/mapValues.js
NOTE(mriedem): The conflicts are due to:
resolution was trivial
resolution was just copying the test change into the old
test file before it was moved
This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.