Skip to content

chore(deps): update dependency async to v3.2.2 [security]#140

Open
renovate[bot] wants to merge 1 commit into
developfrom
renovate/npm-async-vulnerability
Open

chore(deps): update dependency async to v3.2.2 [security]#140
renovate[bot] wants to merge 1 commit into
developfrom
renovate/npm-async-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Jun 24, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
async (source) 3.0.03.2.2 age confidence

Prototype Pollution in async

CVE-2021-43138 / GHSA-fwr7-v2mv-hh25

More information

Details

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

caolan/async (async)

v3.2.2

Compare Source

  • Fix potential prototype pollution exploit

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.1

Compare Source

  • Allow redefining name property on wrapped functions.

v3.1.0

Compare Source

  • Added q.pushAsync and q.unshiftAsync, analagous to q.push and q.unshift, except they always do not accept a callback, and reject if processing the task errors. (#​1659)
  • Promises returned from q.push and q.unshift when a callback is not passed now resolve even if an error ocurred. (#​1659)
  • Fixed a parsing bug in autoInject with complicated function bodies (#​1663)
  • Added ES6+ configuration for Browserify bundlers (#​1653)
  • Various doc fixes (#​1664, #​1658, #​1665, #​1652)

v3.0.1

Compare Source

Bug fixes

  • Fixed a regression where arrays passed to queue and cargo would be completely flattened. (#​1645)
  • Clarified Async's browser support (#​1643)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency async to 3.2.2 [security] fix(deps): update dependency async to v3.2.2 [security] Mar 24, 2023
@renovate renovate Bot changed the title fix(deps): update dependency async to v3.2.2 [security] fix(deps): update dependency async to v3.2.2 [security] - autoclosed Dec 13, 2023
@renovate renovate Bot closed this Dec 13, 2023
@renovate renovate Bot deleted the renovate/npm-async-vulnerability branch December 13, 2023 17:12
@renovate renovate Bot changed the title fix(deps): update dependency async to v3.2.2 [security] - autoclosed fix(deps): update dependency async to v3.2.2 [security] Dec 13, 2023
@renovate renovate Bot reopened this Dec 13, 2023
@renovate renovate Bot restored the renovate/npm-async-vulnerability branch December 13, 2023 18:39
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from e646259 to 457a2d2 Compare December 13, 2023 18:42
@renovate renovate Bot changed the title fix(deps): update dependency async to v3.2.2 [security] fix(deps): update dependency async to v3.2.2 [security] - autoclosed Dec 8, 2024
@renovate renovate Bot closed this Dec 8, 2024
@renovate renovate Bot deleted the renovate/npm-async-vulnerability branch December 8, 2024 18:31
@renovate renovate Bot changed the title fix(deps): update dependency async to v3.2.2 [security] - autoclosed fix(deps): update dependency async to v3.2.2 [security] Dec 8, 2024
@renovate renovate Bot reopened this Dec 8, 2024
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 601a94e to 457a2d2 Compare December 8, 2024 21:05
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 457a2d2 to a5ed8ca Compare January 23, 2025 17:14
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from a5ed8ca to 90f9b7c Compare January 30, 2025 18:36
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 90f9b7c to ef1fbea Compare February 9, 2025 13:07
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from ef1fbea to fcb19eb Compare March 3, 2025 15:46
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch 3 times, most recently from 13948a3 to 2b1e54e Compare March 17, 2025 16:48
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 2b1e54e to a32375c Compare April 1, 2025 12:47
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from a32375c to e4936f7 Compare April 8, 2025 13:36
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from e4936f7 to ee29ac3 Compare April 24, 2025 08:40
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from ee29ac3 to 858971b Compare May 19, 2025 16:53
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch 2 times, most recently from 7faee82 to 6c1ac57 Compare June 4, 2025 06:05
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 6c1ac57 to 95089df Compare June 22, 2025 15:30
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 95089df to f9cb501 Compare July 2, 2025 15:09
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from f9cb501 to d840f4f Compare August 10, 2025 13:57
@renovate renovate Bot changed the title fix(deps): update dependency async to v3.2.2 [security] chore(deps): update dependency async to v3.2.2 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from d840f4f to aacbd1a Compare November 10, 2025 13:54
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from aacbd1a to 35ef323 Compare November 18, 2025 11:38
@renovate renovate Bot changed the title chore(deps): update dependency async to v3.2.2 [security] chore(deps): update dependency async to v3.2.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency async to v3.2.2 [security] - autoclosed chore(deps): update dependency async to v3.2.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch 2 times, most recently from 35ef323 to 7c76a71 Compare March 30, 2026 18:06
@renovate renovate Bot changed the title chore(deps): update dependency async to v3.2.2 [security] chore(deps): update dependency async to v3.2.2 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency async to v3.2.2 [security] - autoclosed chore(deps): update dependency async to v3.2.2 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-async-vulnerability branch from 7c76a71 to 06a4ecd Compare April 27, 2026 23:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lykmapipo lykmapipo

@BenMaruchu BenMaruchu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lykmapipo @BenMaruchu