Security issues
Closed this issue · 2 comments
I'm evaluating using modern-async for a production application but I'm concerned about the security issues that Socket.dev identified.
Aside from a number of npm audit issues, Socket.dev says modern-async include install scripts and that it can access the network. Maybe a security audit of modern-async could uncover why these issues are flagged.
https://socket.dev/npm/package/modern-async/overview/1.1.3
Getting modern-async's security story up-to-date could help adoption. The library looks amazing otherwise, thanks for the hard work!
First let's be clear, latest version of modern-async doesn't yield any npm audit vulnerabilities:
$ npm install --save modern-async
added 3 packages, and audited 4 packages in 3s
1 package is looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ npm audit
found 0 vulnerabilities
Regarding the vulnerabilities raised by socket.dev, which is independent from npm audit, you are misreading them. It is clearly stated that their "Install script vulnerability" is located in a dependency, which in this case is core-js-pure. If you want the maintainers of that package to fix that potential vulnerability you are free to report them the problem: https://github.com/zloirock/core-js#readme
On the other hand, core-js-pure has 14 M downloads on npm and their main package, core-js, has 42 M. So if that potential vulnerability was a real thing I think we would all be in a lot of troubles. That's why I wouldn't care personally.
Thanks for looking into this! I appreciate it 💪