Npm audit failure due to async dependency

Question

Npm audit failure due to async dependency

citypaul opened this issue 3 years ago · 1 comments

Hi there,

We're currently getting a failure in our pipeline due to a security issue with the async library.

Here's the failure from our CI output:

❯ yarn audit
└─ async: 1.5.2
   ├─ Issue: Prototype Pollution in async
   ├─ URL: https://github.com/advisories/GHSA-fwr7-v2mv-hh25
   ├─ Severity: high
   ├─ Vulnerable Versions: <3.2.2
   ├─ Patched Versions: >=3.2.2
   ├─ Via: bestzip, ejs
   └─ Recommendation: Upgrade to version 3.2.2 or later

I see there's a dependabot PR already open for this here: #57

Would it be possible to merge this PR and do a new release please?

Answer 1 · 2022-04-13T17:25:34.000Z

Done! https://www.npmjs.com/package/bestzip