[🐸 Frogbot] Update version of async to 2.6.4

[github-actions]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	Not Applicable	async:2.6.1 grunt-contrib-watch:1.1.0 cypress:3.3.1 grunt-jsbeautifier:0.2.13 grunt-retire:0.3.12	async 2.6.1	[2.6.4] [3.2.2]	CVE-2021-43138

🔬 Research Details

Description:
async is a utility module which provides straight-forward, powerful functions for working with asynchronous JavaScript.

The function mapValues was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input

Example of code vulnerable to this issue -

const async = require('async'); 
var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "polluted": true }}');

async.mapValues(input, (val, key, next) => {
    next(null, val)
}, (err, result) => {
    // result's prototype is now polluted
    console.log(result.polluted);
})

Note that the prototype pollution affects only the prototype of the newly created object (result in the example above) and as such is much less destructive than a normal prototype pollution

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud