Dependency vulnerability due to async

[vaab]

$ npm audit
# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @vue/cli-plugin-eslint@3.12.1, which is a breaking change
node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    @vue/cli-service  *
    Depends on vulnerable versions of @vue/cli-plugin-router
    Depends on vulnerable versions of portfinder
    node_modules/@vue/cli-service
      @vue/cli-plugin-babel  >=4.0.0-alpha.0
      Depends on vulnerable versions of @vue/cli-service
      node_modules/@vue/cli-plugin-babel
      @vue/cli-plugin-eslint  >=4.0.0-alpha.0
      Depends on vulnerable versions of @vue/cli-service
      node_modules/@vue/cli-plugin-eslint
      @vue/cli-plugin-router  *
      Depends on vulnerable versions of @vue/cli-service
      node_modules/@vue/cli-plugin-router
      @vue/cli-plugin-typescript  >=4.0.0-alpha.0
      Depends on vulnerable versions of @vue/cli-service
      node_modules/@vue/cli-plugin-typescript
      @vue/cli-plugin-vuex  *
      Depends on vulnerable versions of @vue/cli-service
      node_modules/@vue/cli-plugin-vuex
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server

9 high severity vulnerabilities

As developped here, it is mainly dependency to vuejs/webpack through portfinder 1.0.28 that depends on async v2 (a v3 is available, but incompatible I guess with portfinder). As of caolan/async#1828 it seems that a PR is on the way to backport the fix to async v2.