CVE-2021-43138: Prototype Pollution in async

[huineng]

Hi, i'm getting several audit warnings related to GHSA-fwr7-v2mv-hh25

affected library: workbox-webpack-plugin
also addressed here jakejs/jake#408

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install workbox-webpack-plugin@6.3.0, which is a breaking change
node_modules/jake/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @surma/rollup-plugin-off-main-thread  >=2.2.0
      Depends on vulnerable versions of ejs
      node_modules/@surma/rollup-plugin-off-main-thread
        workbox-build  >=6.4.0
        Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
        node_modules/workbox-build
          workbox-webpack-plugin  >=6.4.0
          Depends on vulnerable versions of workbox-build
          node_modules/workbox-webpack-plugin

thanks

[MCYouks]

Same here !

[akksa]

same here

[userquin]

published ejs 3.1.7: fixed jake dependency

[jeffposnick]

I can confirm that a fresh install of the various Workbox builds tools shows that the open vulnerability has been resolved, as @surma/rollup-plugin-off-main-thread now pulls in ejs v3.1.7.