new release of nconf needed to address CVE-2021-43138

[grant-g]

nconf release 0.11.3 has dependency "async": "^1.4.0", which cannot satisfy CVE-2021-43138. A new release of nconf is needed that brings in async 3.2.2 or newer.

The guidance for apps that depend on packages like nconf is to resolve such findings within 15 days whenever possible. It would be very helpful if this can be resolved quickly, to give downstream apps an opportunity to adopt the fix in good time. Thank-you in advance!

[mhamann]

This should be possible, though there are breaking changes in async be that make it less than straightforward.

[grant-g]

@mhamann Thank-you for looking into this. I'm sure this wasn't a task you had planned in the short-term, but there are likely many apps out there that need this update in order to stay compliant. If you run into blockers/delays please let us know here, thanks again!

[mhamann]

The necessary changes have been merged into v0.x and will likely be released as v0.12 this week after some final testing.

[PaulAnnekov]

JFYI, nconf looks like not affected, because it's not using mapValues async method which is vulnerable according to CVE.

[mhamann]

Thanks for the insight, @PaulAnnekov.

v0.12.0 has been released to address the CVE