Skip to content

Update dependency async to v3 [SECURITY]#10

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-async-vulnerability
Open

Update dependency async to v3 [SECURITY]#10
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-async-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented May 3, 2026

This PR contains the following updates:

Package Change Age Confidence
async (source) ^1.5.0^3.0.0 age confidence
async (source) ^0.9.0^3.0.0 age confidence
async (source) ^1.5.2^3.0.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Prototype Pollution in async

CVE-2021-43138 / GHSA-fwr7-v2mv-hh25

More information

Details

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

caolan/async (async)

v3.2.6

Compare Source

v3.2.5

Compare Source

  • Ensure Error objects such as AggregateError are propagated without modification (#​1920)

v3.2.4

Compare Source

  • Fix a bug in priorityQueue where it didn't wait for the result. (#​1725)
  • Fix a bug where unshiftAsync was included in priorityQueue. (#​1790)

v3.2.3

Compare Source

v3.2.2

Compare Source

  • Fix potential prototype pollution exploit

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.1

Compare Source

  • Allow redefining name property on wrapped functions.

v3.1.0

Compare Source

  • Added q.pushAsync and q.unshiftAsync, analagous to q.push and q.unshift, except they always do not accept a callback, and reject if processing the task errors. (#​1659)
  • Promises returned from q.push and q.unshift when a callback is not passed now resolve even if an error ocurred. (#​1659)
  • Fixed a parsing bug in autoInject with complicated function bodies (#​1663)
  • Added ES6+ configuration for Browserify bundlers (#​1653)
  • Various doc fixes (#​1664, #​1658, #​1665, #​1652)

v3.0.1

Compare Source

Bug fixes

  • Fixed a regression where arrays passed to queue and cargo would be completely flattened. (#​1645)
  • Clarified Async's browser support (#​1643)

v3.0.0

Compare Source

The async/await release!

There are a lot of new features and subtle breaking changes in this major version, but the biggest feature is that most Async methods return a Promise if you omit the callback, meaning you can await them from within an async function.

const results = await async.mapLimit(urls, 5, async url => {
    const resp = await fetch(url)
    return resp.body
})

Breaking Changes

  • Most Async methods return a Promise when the final callback is omitted, making them await-able! (#​1572)
  • We are now making heavy use of ES2015 features, this means we have dropped out-of-the-box support for Node 4 and earlier, and many old versions of browsers. (#​1541, #​1553)
  • In queue, priorityQueue, cargo and cargoQueue, the "event"-style methods, like q.drain and q.saturated are now methods that register a callback, rather than properties you assign a callback to. They are now of the form q.drain(callback). If you do not pass a callback a Promise will be returned for the next occurrence of the event, making them await-able, e.g. await q.drain(). (#​1586, #​1641)
  • Calling callback(false) will cancel an async method, preventing further iteration and callback calls. This is useful for preventing memory leaks when you break out of an async flow by calling an outer callback. (#​1064, #​1542)
  • during and doDuring have been removed, and instead whilst, doWhilst, until and doUntil now have asynchronous test functions. (#​850, #​1557)
  • limits of less than 1 now cause an error to be thrown in queues and collection methods. (#​1249, #​1552)
  • memoize no longer memoizes errors (#​1465, #​1466)
  • applyEach/applyEachSeries have a simpler interface, to make them more easily type-able. It always returns a function that takes in a single callback argument. If that callback is omitted, a promise is returned, making it awaitable. (#​1228, #​1640)

New Features

  • Async generators are now supported in all the Collection methods. (#​1560)
  • Added cargoQueue, a queue with both concurrency and payload size parameters. (#​1567)
  • Queue objects returned from queue now have a Symbol.iterator method, meaning they can be iterated over to inspect the current list of items in the queue. (#​1459, #​1556)
  • A ESM-flavored async.mjs is included in the async package. This is described in the package.json "module" field, meaning it should be automatically used by Webpack and other compatible bundlers.

Bug fixes

Other

v2.6.4

Compare Source

v2.6.3

Compare Source

v2.6.2

Compare Source

v2.6.1

Compare Source

v2.6.0

Compare Source

v2.5.0

Compare Source

  • Added concatLimit, the Limit equivalent of concat (#​1426, #​1430)
  • concat improvements: it now preserves order, handles falsy values and the iteratee callback takes a variable number of arguments (#​1437, #​1436)
  • Fixed an issue in queue where there was a size discrepancy between workersList().length and running() (#​1428, #​1429)
  • Various doc fixes (#​1422, #​1424)

v2.4.1

Compare Source

  • Fixed a bug preventing functions wrapped with timeout() from being re-used. (#​1418, #​1419)

v2.4.0

Compare Source

  • Added tryEach, for running async functions in parallel, where you only expect one to succeed. (#​1365, #​687)
  • Improved performance, most notably in parallel and waterfall (#​1395)
  • Added queue.remove(), for removing items in a queue (#​1397, #​1391)
  • Fixed using eval, preventing Async from running in pages with Content Security Policy (#​1404, #​1403)
  • Fixed errors thrown in an asyncifyed function's callback being caught by the underlying Promise (#​1408)
  • Fixed timing of queue.empty() (#​1367)
  • Various doc fixes (#​1314, #​1394, #​1412)

v2.3.0

Compare Source

  • Added support for ES2017 async functions. Wherever you can pass a Node-style/CPS function that uses a callback, you can also pass an async function. Previously, you had to wrap async functions with asyncify. The caveat is that it will only work if async functions are supported natively in your environment, transpiled implementations can't be detected. (#​1386, #​1390)
  • Small doc fix (#​1392)

v2.2.0

Compare Source

  • Added groupBy, and the Series/Limit equivalents, analogous to _.groupBy (#​1364)
  • Fixed transform bug when callback was not passed (#​1381)
  • Added note about reflect to parallel docs (#​1385)

v2.1.5

Compare Source

  • Fix auto bug when function names collided with Array.prototype (#​1358)
  • Improve some error messages (#​1349)
  • Avoid stack overflow case in queue
  • Fixed an issue in some, every and find where processing would continue after the result was determined.
  • Cleanup implementations of some, every and find

v2.1.4

Compare Source

v2.1.2

Compare Source

  • Fixed a stackoverflow bug with detect, some, every on large inputs (#​1293).

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.1

Compare Source

  • Significantly optimized all iteration based collection methods such as each, map, filter, etc (#​1245, #​1246, #​1247).

v2.0.0

Compare Source

Lots of changes here!

First and foremost, we have a slick new site for docs. Special thanks to @​hargasinski for his work converting our old docs to jsdoc format and implementing the new website. Also huge ups to @​ivanseidel for designing our new logo. It was a long process for both of these tasks, but I think these changes turned out extraordinary well.

The biggest feature is modularization. You can now require("async/series") to only require the series function. Every Async library function is available this way. You still can require("async") to require the entire library, like you could do before.

We also provide Async as a collection of ES2015 modules. You can now import {each} from 'async-es' or import waterfall from 'async-es/waterfall'. If you are using only a few Async functions, and are using a ES bundler such as Rollup, this can significantly lower your build size.

Major thanks to @​Kikobeats, @​aearly and @​megawac for doing the majority of the modularization work, as well as @​jdalton and @​Rich-Harris for advisory work on the general modularization strategy.

Another one of the general themes of the 2.0 release is standardization of what an "async" function is. We are now more strictly following the node-style continuation passing style. That is, an async function is a function that:

  1. Takes a variable number of arguments
  2. The last argument is always a callback
  3. The callback can accept any number of arguments
  4. The first argument passed to the callback will be treated as an error result, if the argument is truthy
  5. Any number of result arguments can be passed after the "error" argument
  6. The callback is called once and exactly once, either on the same tick or later tick of the JavaScript event loop.

There were several cases where Async accepted some functions that did not strictly have these properties, most notably auto, every, some, filter, reject and detect.

Another theme is performance. We have eliminated internal deferrals in all cases where they make sense. For example, in waterfall and auto, there was a setImmediate between each task -- these deferrals have been removed. A setImmediate call can add up to 1ms of delay. This might not seem like a lot, but it can add up if you are using many Async functions in the course of processing a HTTP request, for example. Nearly all asynchronous functions that do I/O already have some sort of deferral built in, so the extra deferral is unnecessary. The trade-off of this change is removing our built-in stack-overflow defense. Many synchronous callback calls in series can quickly overflow the JS call stack. If you do have a function that is sometimes synchronous (calling its callback on the same tick), and are running into stack overflows, wrap it with async.ensureAsync().

Another big performance win has been re-implementing queue, cargo, and priorityQueue with doubly linked lists instead of arrays. This has lead to queues being an order of magnitude faster on large sets of tasks.

New Features

  • Async is now modularized. Individual functions can be require()d from the main package. (require('async/auto')) (#​984, #​996)
  • Async is also available as a collection of ES2015 modules in the new async-es package. (import {forEachSeries} from 'async-es') (#​984, #​996)
  • Added race, analogous to Promise.race(). It will run an array of async tasks in parallel and will call its callback with the result of the first task to respond. (#​568, #​1038)
  • Collection methods now accept ES2015 iterators. Maps, Sets, and anything that implements the iterator spec can now be passed directly to each, map, parallel, etc.. (#​579, #​839, #​1074)
  • Added mapValues, for mapping over the properties of an object and returning an object with the same keys. (#​1157, #​1177)
  • Added timeout, a wrapper for an async function that will make the task time-out after the specified time. (#​1007, #​1027)
  • Added reflect and reflectAll, analagous to Promise.reflect(), a wrapper for async tasks that always succeeds, by gathering results and errors into an object. (#​942, #​1012, #​1095)
  • constant supports dynamic arguments -- it will now always use its last argument as the callback. (#​1016, #​1052)
  • setImmediate and nextTick now support arguments to partially apply to the deferred function, like the node-native versions do. (#​940, #​1053)
  • auto now supports resolving cyclic dependencies using Kahn's algorithm (#​1140).
  • Added autoInject, a relative of auto that automatically spreads a task's dependencies as arguments to the task function. (#​608, #​1055, #​1099, #​1100)
  • You can now limit the concurrency of auto tasks. (#​635, #​637)
  • Added retryable, a relative of retry that wraps an async function, making it retry when called. (#​1058)
  • retry now supports specifying a function that determines the next time interval, useful for exponential backoff, logging and other retry strategies. (#​1161)
  • retry will now pass all of the arguments the task function was resolved with to the callback (#​1231).
  • Added q.unsaturated -- callback called when a queue's number of running workers falls below a threshold. (#​868, #​1030, #​1033, #​1034)
  • Added q.error -- a callback called whenever a queue task calls its callback with an error. (#​1170)
  • applyEach and applyEachSeries now pass results to the final callback. (#​1088)

Breaking changes

  • Calling a callback more than once is considered an error, and an error will be thrown. This had an explicit breaking change in waterfall. If you were relying on this behavior, you should more accurately represent your control flow as an event emitter or stream. (#​814, #​815, #​1048, #​1050)
  • auto task functions now always take the callback as the last argument. If a task has dependencies, the results object will be passed as the first argument. To migrate old task functions, wrap them with _.flip (#​1036, #​1042)
  • Internal setImmediate calls have been refactored away. This may make existing flows vulnerable to stack overflows if you use many synchronous functions in series. Use ensureAsync to work around this. (#​696, #​704, #​1049, #​1050)
  • map used to return an object when iterating over an object. map now always returns an array, like in other libraries. The previous object behavior has been split out into mapValues. (#​1157, #​1177)
  • filter, reject, some, every, detect and their families like {METHOD}Series and {METHOD}Limit now expect an error as the first callback argument, rather than just a simple boolean. Pass null as the first argument, or use fs.access instead of fs.exists. (#​118, #​774, #​1028, #​1041)
  • {METHOD} and {METHOD}Series are now implemented in terms of {METHOD}Limit. This is a major internal simplification, and is not expected to cause many problems, but it does subtly affect how functions execute internally. (#​778, #​847)
  • retry's callback is now optional. Previously, omitting the callback would partially apply the function, meaning it could be passed directly as a task to series or auto. The partially applied "control-flow" behavior has been separated out into retryable. (#​1054, #​1058)
  • The test function for whilst, until, and during used to be passed non-error args from the iteratee function's callback, but this led to weirdness where the first call of the test function would be passed no args. We have made it so the test function is never passed extra arguments, and only the doWhilst, doUntil, and doDuring functions pass iteratee callback arguments to the test function (#​1217, #​1224)
  • The q.tasks array has been renamed q._tasks and is now implemented as a doubly linked list (DLL). Any code that used to interact with this array will need to be updated to either use the provided helpers or support DLLs (#​1205).
  • The timing of the q.saturated() callback in a queue has been modified to better reflect when tasks pushed to the queue will start queueing. (#​724, #​1078)
  • Removed iterator method in favour of ES2015 iterator protocol which natively supports arrays (#​1237)
  • Dropped support for Component, Jam, SPM, and Volo (#​1175, ##​176)

Bug Fixes

  • Improved handling of no dependency cases in auto & autoInject (#​1147).
  • Fixed a bug where the callback generated by asyncify with Promises could resolve twice (#​1197).
  • Fixed several documented optional callbacks not actually being optional (#​1223).

Other

Thank you @​aearly and @​megawac for taking the lead on version 2 of async.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants