Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix prototype pollution vulnerability #1828

Merged
merged 1 commit into from Apr 13, 2022
Merged

Fix prototype pollution vulnerability #1828

merged 1 commit into from Apr 13, 2022

Conversation

mriedem
Copy link

@mriedem mriedem commented Apr 8, 2022

(cherry picked from commit e1ecdbf)

Conflicts:
lib/internal/iterator.js
test/mapValues.js

NOTE(mriedem): The conflicts are due to:

  • e475117 for iterator.js;
    resolution was trivial
  • bd86f42 for mapValues.js;
    resolution was just copying the test change into the old
    test file before it was moved

This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.

@aearly @mriedem
Fix prototype pollution vulnerability
62aedf4 
(cherry picked from commit e1ecdbf)

Conflicts:
  lib/internal/iterator.js
  test/mapValues.js

NOTE(mriedem): The conflicts are due to:

- e475117 for iterator.js;
  resolution was trivial
- bd86f42 for mapValues.js;
  resolution was just copying the test change into the old
  test file before it was moved

This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.
mriedem referenced this pull request Apr 8, 2022
@aearly
Fix prototype pollution vulnerability
e1ecdbf
@mriedem
Copy link
Author

mriedem commented Apr 8, 2022

Feel free to ignore/close this if you want. For the project I cared about we just removed the dependency on async (it was only using doWhilst and we were able to just re-write that code to use a simple do...while).

@richgt
Copy link

richgt commented Apr 11, 2022

Would love to see this get merged and released as a 2.x patch. Ember.js relies on this library, but is incompatible with 3.x. Let us know if there's anything we can do to help get this merged.

@alexweininger
Copy link

Us over at https://github.com/microsoft/vscode-azure-account would be very grateful if this fix could get merged and released as a 2.x patch as well!

Currently cannot update to 3.x since async is a transient dependency.

@XinyuCRO XinyuCRO mentioned this pull request Apr 13, 2022
Merged
@kiskoza kiskoza mentioned this pull request Apr 13, 2022
Closed
@osdnk
Copy link

osdnk commented Apr 13, 2022

I know this is crazy, but what's the fix for 1.5.x?

@FrederikBolding
Copy link

I know this is crazy, but what's the fix for 1.5.x?

Is mapValues even included in the older versions? I can't seem to find it. And if not, is there no vuln in the older versions?

@chrisfinazzo chrisfinazzo mentioned this pull request Apr 13, 2022
Closed
@vaab vaab mentioned this pull request Apr 13, 2022
Closed
@thecrypticace thecrypticace mentioned this pull request Apr 13, 2022
Closed
@ClFeSc ClFeSc mentioned this pull request Apr 13, 2022
Closed
@github-actions github-actions bot mentioned this pull request Apr 13, 2022
Closed
@kumavis kumavis mentioned this pull request Apr 13, 2022
Merged
@hargasinski hargasinski merged commit 8f7f903 into caolan:2.x Apr 13, 2022
@hargasinski
Copy link
Collaborator

Fixed in v2.6.4!

@aearly could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package.

@julienw julienw mentioned this pull request Apr 14, 2022
Closed
@jmthibault79 jmthibault79 mentioned this pull request Apr 14, 2022
Merged
10 tasks
@mriedem
Copy link
Author

mriedem commented Apr 14, 2022

Fixed in v2.6.4!

Thank you!

@mriedem mriedem deleted the CVE-2021-43138-2.x-backport branch April 14, 2022 13:52
@aearly
Copy link
Collaborator

aearly commented Apr 15, 2022 via email

@hargasinski
Copy link
Collaborator

Published async-es v2.6.4, thanks!

@aduth aduth mentioned this pull request Apr 15, 2022
Merged
@szepeviktor szepeviktor mentioned this pull request Apr 18, 2022
Merged
This was referenced Apr 19, 2022
Closed
Closed
@okuryu okuryu mentioned this pull request Apr 20, 2022
Closed
@kelvinqian00 kelvinqian00 mentioned this pull request Apr 21, 2022
Closed
@crudo crudo mentioned this pull request May 11, 2022
Closed
@debricked debricked bot mentioned this pull request May 14, 2022
Closed
@debricked debricked bot mentioned this pull request Jun 13, 2022
Closed
@debricked debricked bot mentioned this pull request Jun 20, 2022
Closed
@sync-by-unito sync-by-unito bot mentioned this pull request Aug 9, 2022
Closed
@web-padawan web-padawan mentioned this pull request Oct 19, 2022
Merged
@debricked-staging debricked-staging bot mentioned this pull request Nov 7, 2022
Open
@debricked debricked bot mentioned this pull request Dec 19, 2022
Open
@debricked debricked bot mentioned this pull request Feb 8, 2023
Open
@sync-by-unito sync-by-unito bot mentioned this pull request Feb 17, 2023
Open
@westonsteimel westonsteimel mentioned this pull request Mar 10, 2023
Closed
@github-actions github-actions bot mentioned this pull request Apr 4, 2023
Open
@TheKingTermux TheKingTermux mentioned this pull request May 2, 2023
Closed
4 tasks
@debricked debricked bot mentioned this pull request Jan 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexweininger alexweininger alexweininger approved these changes

@wwlorey wwlorey wwlorey approved these changes

@BalvirPurewalADL BalvirPurewalADL BalvirPurewalADL approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@mriedem @richgt @alexweininger @osdnk @FrederikBolding @hargasinski @aearly @wwlorey @BalvirPurewalADL