Async version 2.4.0 is a minor release following 2.3.0, maintaining the same core purpose: offering higher-order functions and common patterns to simplify asynchronous JavaScript development. Both versions share identical dependencies on lodash (version ^4.14.0) for utility functions, ensuring consistent behavior in handling data structures. More importantly the license is the same MIT license easing adoption for developers, and the author remains Caolan Mcmahon.
While the core functionality and primary dependency remain the same, subtle improvements and bug fixes are likely present in version 2.4.0. Developers should consider upgrading for potential performance gains or resolutions to issues encountered in 2.3.0. Inspecting the changelog or release notes (usually available on the GitHub repository) is crucial to understand the specific enhancements and bug fixes included in the newer version. Note that the release dates are different which indicates indeed changes in the code. Always test thoroughly when upgrading dependencies to ensure compatibility and prevent unexpected behavior in your application.
All the vulnerabilities related to the version 2.4.0 of the package
Prototype Pollution in async
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
