CVE-2021-43138 vulnerability in async (@symfony#webpack-encore#webpack-dev-server#portfinder)

[arderyp]

yarn why async

yarn why v1.22.18
[1/4] Why do we have the module "async"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "async@2.6.3"
info Reasons this module exists
   - "@symfony#webpack-encore#webpack-dev-server#portfinder" depends on it
   - Hoisted from "@symfony#webpack-encore#webpack-dev-server#portfinder#async"
info Disk size without dependencies: "852KB"
info Disk size with unique dependencies: "5.71MB"
info Disk size with transitive dependencies: "5.71MB"
info Number of shared dependencies: 1
Done in 0.77s.

I am not sure of the solution here, as it seems to stem from a dependency that hasn't been touched in years: https://github.com/http-party/node-portfinder

ISSUES:

• Update "async" dependency http-party/node-portfinder#126
• node-portfinder not supported anymore webpack/webpack-dev-server#4383

I'm creating this issue mostly as a reference, as I don't think this repo can do anything reasonable to resolve this situations. If the maintainers want to close this, go for it, at least people will find it through google.

[stof]

This repo indeed cannot do anything about it. It needs to be solved in portfinder or in webpack-dev-server (by replacing portfinder)