From 181b717f8b240eb8609c0b4085ad2dbc9d732bca Mon Sep 17 00:00:00 2001
From: Fadi Quader <fadi.quader@moxbank.com>
Date: Mon, 11 Apr 2022 10:12:16 -0700
Subject: [PATCH] Bump 'async' from v2.4.2 to v3.2.2 to fix a prototype
 pollution exploit (#802)

Summary:
## Summary
The PR is essentially to update [async](https://www.npmjs.com/package/async) to version [3.2.2](https://github.com/caolan/async/blob/master/CHANGELOG.md#v322) to fix t a  [prototype pollution exploit](https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827) found in versions < `3.2.2` . The vulnerability was discovered by [Snyk](https://snyk.io/) has discovered an exploit in  and labelled as **High Severity**.

Changelog: [Internal]

Pull Request resolved: https://github.com/facebook/metro/pull/802

Reviewed By: GijsWeterings

Differential Revision: D35543054

Pulled By: robhogan

fbshipit-source-id: b176c584dbcb139115e466a765e3efbe6f1f984d
---
 packages/buck-worker-tool/package.json | 2 +-
 packages/metro/package.json            | 2 +-
 yarn.lock                              | 7 ++++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/packages/buck-worker-tool/package.json b/packages/buck-worker-tool/package.json
index 3a7c48db51..684658e3a2 100644
--- a/packages/buck-worker-tool/package.json
+++ b/packages/buck-worker-tool/package.json
@@ -5,7 +5,7 @@
   "license": "MIT",
   "main": "src/worker-tool.js",
   "dependencies": {
-    "async": "^2.4.0",
+    "async": "^3.2.2",
     "duplexer": "^0.1.1",
     "invariant": "^2.2.4",
     "jsonparse": "^1.2.0",
diff --git a/packages/metro/package.json b/packages/metro/package.json
index c8a6e86168..8a245fd8f6 100644
--- a/packages/metro/package.json
+++ b/packages/metro/package.json
@@ -22,7 +22,7 @@
     "@babel/types": "^7.0.0",
     "absolute-path": "^0.0.0",
     "accepts": "^1.3.7",
-    "async": "^2.4.0",
+    "async": "^3.2.2",
     "chalk": "^4.0.0",
     "ci-info": "^2.0.0",
     "connect": "^3.6.5",
diff --git a/yarn.lock b/yarn.lock
index f47dba807a..74d7734a64 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1704,13 +1704,18 @@ async@^1.5.0:
   resolved "https://registry.yarnpkg.com/async/-/async-1.5.2.tgz#ec6a61ae56480c0c3cb241c95618e20892f9672a"
   integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
 
-async@^2.4.0, async@^2.6.2:
+async@^2.6.2:
   version "2.6.3"
   resolved "https://registry.yarnpkg.com/async/-/async-2.6.3.tgz#d72625e2344a3656e3a3ad4fa749fa83299d82ff"
   integrity sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==
   dependencies:
     lodash "^4.17.14"
 
+async@^3.2.2:
+  version "3.2.3"
+  resolved "https://registry.yarnpkg.com/async/-/async-3.2.3.tgz#ac53dafd3f4720ee9e8a160628f18ea91df196c9"
+  integrity sha512-spZRyzKL5l5BZQrr/6m/SqFdBN0q3OCI0f9rjfBzCMBIP4p75P620rR3gTmaksNOhmzgdxcaxdNfMy6anrbM0g==
+
 asynckit@^0.4.0:
   version "0.4.0"
   resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"