From 943ec402e932211580c4de923da7e919056dd5d4 Mon Sep 17 00:00:00 2001
From: Fadi Quader <fadi.quader@moxbank.com>
Date: Mon, 11 Apr 2022 12:10:59 +0800
Subject: [PATCH 1/2] update 'async' to fix prototype pollution exploit

---
 packages/buck-worker-tool/package.json | 2 +-
 packages/metro/package.json            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/buck-worker-tool/package.json b/packages/buck-worker-tool/package.json
index 3a7c48db51..684658e3a2 100644
--- a/packages/buck-worker-tool/package.json
+++ b/packages/buck-worker-tool/package.json
@@ -5,7 +5,7 @@
   "license": "MIT",
   "main": "src/worker-tool.js",
   "dependencies": {
-    "async": "^2.4.0",
+    "async": "^3.2.2",
     "duplexer": "^0.1.1",
     "invariant": "^2.2.4",
     "jsonparse": "^1.2.0",
diff --git a/packages/metro/package.json b/packages/metro/package.json
index c8a6e86168..8a245fd8f6 100644
--- a/packages/metro/package.json
+++ b/packages/metro/package.json
@@ -22,7 +22,7 @@
     "@babel/types": "^7.0.0",
     "absolute-path": "^0.0.0",
     "accepts": "^1.3.7",
-    "async": "^2.4.0",
+    "async": "^3.2.2",
     "chalk": "^4.0.0",
     "ci-info": "^2.0.0",
     "connect": "^3.6.5",

From f0f780390bf72a26aed539a659f892fb8518e6ce Mon Sep 17 00:00:00 2001
From: Fadi Quader <fadi.quader@moxbank.com>
Date: Mon, 11 Apr 2022 15:28:48 +0800
Subject: [PATCH 2/2] update yarn.lock

---
 yarn.lock | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/yarn.lock b/yarn.lock
index 92e1f0af28..1fc1f272f4 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1704,13 +1704,18 @@ async@^1.5.0:
   resolved "https://registry.yarnpkg.com/async/-/async-1.5.2.tgz#ec6a61ae56480c0c3cb241c95618e20892f9672a"
   integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
 
-async@^2.4.0, async@^2.6.2:
+async@^2.6.2:
   version "2.6.3"
   resolved "https://registry.yarnpkg.com/async/-/async-2.6.3.tgz#d72625e2344a3656e3a3ad4fa749fa83299d82ff"
   integrity sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==
   dependencies:
     lodash "^4.17.14"
 
+async@^3.2.2:
+  version "3.2.3"
+  resolved "https://registry.yarnpkg.com/async/-/async-3.2.3.tgz#ac53dafd3f4720ee9e8a160628f18ea91df196c9"
+  integrity sha512-spZRyzKL5l5BZQrr/6m/SqFdBN0q3OCI0f9rjfBzCMBIP4p75P620rR3gTmaksNOhmzgdxcaxdNfMy6anrbM0g==
+
 asynckit@^0.4.0:
   version "0.4.0"
   resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"