Fix prototype pollution vulnerability

[mriedem]

(cherry picked from commit e1ecdbf)

Conflicts:
lib/internal/iterator.js
test/mapValues.js

NOTE(mriedem): The conflicts are due to:

• e475117 for iterator.js;
  resolution was trivial
• bd86f42 for mapValues.js;
  resolution was just copying the test change into the old
  test file before it was moved

This is a 2.x series backport for
https://nvd.nist.gov/vuln/detail/CVE-2021-43138.

[mriedem]

Feel free to ignore/close this if you want. For the project I cared about we just removed the dependency on async (it was only using doWhilst and we were able to just re-write that code to use a simple do...while).

[richgt]

Would love to see this get merged and released as a 2.x patch. Ember.js relies on this library, but is incompatible with 3.x. Let us know if there's anything we can do to help get this merged.

[alexweininger]

Us over at https://github.com/microsoft/vscode-azure-account would be very grateful if this fix could get merged and released as a 2.x patch as well!

Currently cannot update to 3.x since async is a transient dependency.

[osdnk]

I know this is crazy, but what's the fix for 1.5.x?

[FrederikBolding]

I know this is crazy, but what's the fix for 1.5.x?

Is mapValues even included in the older versions? I can't seem to find it. And if not, is there no vuln in the older versions?

[hargasinski]

Fixed in v2.6.4!

@aearly could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package.

[mriedem]

Fixed in v2.6.4!

Thank you!

[aearly]

@hargasinski you should be added as a maintainer. Thanks for handling this, I've been incredibly busy the past few weeks.

…

On Wed, Apr 13, 2022, 4:20 PM Hubert Argasinski ***@***.***> wrote: Fixed in v2.6.4! @aearly <https://github.com/aearly> could you add me to async-es on npm? I was only able to publish async proper and not async-es as I don't have permission to publish that package. — Reply to this email directly, view it on GitHub <#1828 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEII3XTM566JXAID5Q3LPLVE5JERANCNFSM5S4WO32A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[hargasinski]

Published async-es v2.6.4, thanks!