Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
See original GitHub issue- Laravel Mix Version: 6.0.43 (
npm list --depth=0) - Node Version (
node -v): 16.14.2 - NPM Version (
npm -v): 8.5.0 - OS: Ubuntu 20.04.4 LTS (Focal Fossa)
Description:
When running npm audit warnings are given about async in the upstream webpack-dev-server and portfinder.
Steps To Reproduce:
Run npm audit.
# npm audit report
async <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
portfinder 0.1.0 || >=0.4.0
Depends on vulnerable versions of async
node_modules/portfinder
webpack-dev-server >=2.0.0-beta
Depends on vulnerable versions of portfinder
node_modules/webpack-dev-server
laravel-mix *
Depends on vulnerable versions of webpack-dev-server
node_modules/laravel-mix
4 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Issue Analytics
- State:
- Created a year ago
- Comments:10
Top Results From Across the Web
Prototype Pollution in async · CVE-2021-43138 - GitHub
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a...
Read more >Update "async": Security vulnerability, prototype pollution #408
Hi there, there is a security vulnerability in the old async version, which is currently in use (GHSA-fwr7-v2mv-hh25).
Read more >NPM Audit: Prototype pollution in async #2327 - 11ty/eleventy
async <2.6.4 Severity: high Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 fix available via `npm audit ...
Read more >Prototype Pollution in async · CVE-2021-43138 - GitHub
Prototype Pollution in async. High severity GitHub Reviewed Published on Apr 6 • Updated on Jun 2. Vulnerability details Dependabot alerts 0.
Read more >Prototype Pollution vulnerability in async-store! #105 - GitHub
Hi there, There is a prototype pollution vulnerability while setting a key-value pair in the store using async-store.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Given that a fix has been released I’m closing this. Running
npm upgradewill upgrade async (it upgrades all dependencies in your tree — not just direct dependencies). All we can do now is wait for npm’s advisory database to be updated to reflect that 2.6.4 is not vulnerable.yep, the version is only an example and this is absolutely temporary, I’ve just changed from “>3.2.2” to “”>=2.6.4"" and it works like a charm