Prototye Pollution in Async via portfinder@1.0.28 dependency

[jadon-murphy-saama]

Bug report

Actual Behavior

Dependabot cannot update async to a non-vulnerable version of async (3.2.2) as it is dependency of portfinder@1.0.28 creating a high severity vulnerability. From the dependabot log "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method."
Currently it appears that portfinder may be abandonware as of my last check it hasnt been updated in ~2 years. There is an issue raised with portfinder about the async dep, linked below, but has gone without answer, as it appears portfinder is no longer receiving support.
http-party/node-portfinder#126

Expected Behavior

How Do We Reproduce?

install webpack@latest and webpack-dev-server@latest and run npm audit to see the vulnerability.

[ludofischer]

A issue has been already opened for this problem (#4383) and a fix merged into master: #4384
Meanwhile you can also upgrade your async dependency to 2.6.4 which should also fix the problem: https://github.com/caolan/async/blob/2.x/CHANGELOG.md

[alexander-akait]

Duplicate