fix: remove pinned async dev dependency from default package.json (#22321)

Artur- · web-flow · commit 158f388c617a · 2025-09-24T07:05:55.000Z
The async dependency was originally added in PR #13547 to fix a Prototype Pollution security vulnerability. This is no longer needed as the vulnerability has been resolved in newer versions and there are no direct dependencies requiring async. Fixes #21507
diff --git a/flow-server/src/main/resources/com/vaadin/flow/server/frontend/dependencies/default/package.json b/flow-server/src/main/resources/com/vaadin/flow/server/frontend/dependencies/default/package.json
@@ -8,7 +8,6 @@
     "lit": "3.3.1"
   },
   "devDependencies": {
-    "async": "3.2.6",
     "glob": "11.0.3",
     "typescript": "5.9.2",
     "workbox-core": "7.3.0",
diff --git a/flow-server/src/test/java/com/vaadin/flow/server/frontend/NodeUpdaterTest.java b/flow-server/src/test/java/com/vaadin/flow/server/frontend/NodeUpdaterTest.java
@@ -179,7 +179,6 @@ private Set<String> getCommonDevDeps() {
         expectedDependencies.add("workbox-core");
         expectedDependencies.add("workbox-precaching");
         expectedDependencies.add("glob");
-        expectedDependencies.add("async");
         return expectedDependencies;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,6 @@ private Set<String> getCommonDevDeps() {`
`179`	`179`	`expectedDependencies.add("workbox-core");`
`180`	`180`	`expectedDependencies.add("workbox-precaching");`
`181`	`181`	`expectedDependencies.add("glob");`
`182`		`- expectedDependencies.add("async");`
`183`	`182`	`return expectedDependencies;`
`184`	`183`	`}`
`185`	`184`