You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependabot cannot update async to a non-vulnerable version of async (3.2.2) as it is dependency of portfinder@1.0.28 creating a high severity vulnerability. From the dependabot log "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method."
Currently it appears that portfinder may be abandonware as of my last check it hasnt been updated in ~2 years. There is an issue raised with portfinder about the async dep, linked below, but has gone without answer, as it appears portfinder is no longer receiving support. http-party/node-portfinder#126
Expected Behavior
How Do We Reproduce?
install webpack@latest and webpack-dev-server@latest and run npm audit to see the vulnerability.
The text was updated successfully, but these errors were encountered:
Bug report
Actual Behavior
Dependabot cannot update async to a non-vulnerable version of async (3.2.2) as it is dependency of portfinder@1.0.28 creating a high severity vulnerability. From the dependabot log "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method."
Currently it appears that portfinder may be abandonware as of my last check it hasnt been updated in ~2 years. There is an issue raised with portfinder about the async dep, linked below, but has gone without answer, as it appears portfinder is no longer receiving support.
http-party/node-portfinder#126
Expected Behavior
How Do We Reproduce?
install webpack@latest and webpack-dev-server@latest and run npm audit to see the vulnerability.
The text was updated successfully, but these errors were encountered: