Prototye Pollution in Async via portfinder@1.0.28 dependency #4386
Comments
|
A issue has been already opened for this problem (#4383) and a fix merged into master: #4384 |
|
Duplicate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug report
Actual Behavior
Dependabot cannot update async to a non-vulnerable version of async (3.2.2) as it is dependency of portfinder@1.0.28 creating a high severity vulnerability. From the dependabot log "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method."
Currently it appears that portfinder may be abandonware as of my last check it hasnt been updated in ~2 years. There is an issue raised with portfinder about the async dep, linked below, but has gone without answer, as it appears portfinder is no longer receiving support.
http-party/node-portfinder#126
Expected Behavior
How Do We Reproduce?
install webpack@latest and webpack-dev-server@latest and run npm audit to see the vulnerability.
The text was updated successfully, but these errors were encountered: