Async version 2.6.1, released in May 2018, builds upon the foundation of its predecessor, 2.6.0 (released in November 2017), primarily through dependency updates and internal refinements. Both versions maintain the core functionality of providing higher-order functions and common patterns for asynchronous JavaScript, essential for managing complex asynchronous workflows in Node.js and the browser. A key difference lies in the lodash dependency, where 2.6.1 upgrades to ^4.17.10 from 2.6.0's ^4.14.0, potentially introducing performance enhancements and bug fixes inherent in newer lodash releases. For developers, this means subtly improved performance in operations related to collection manipulation.
The development dependencies also see significant upgrades. Key updates include newer versions of nyc for code coverage, chai for assertions during testing, karma for test running, and mocha as a test framework, resulting in a better developer experience with streamlined testing and more accurate code coverage reporting. Notably, the shift to browserify ^16.2.2 on version 2.6.1 (version 2.6.0 doesn't declare it as dependency) represents a potential advantage in modern browser environments. Additionally, 2.6.1 includes rollup 0.36.3 and rollup-plugin-npm ^2.0.0 which are beneficial if developers are using rollup for modular bundling during the development process. Furthermore, version 2.6.1 also has two properties in dist element: fileCount and unpackedSize which are not available on version 2.6.0. For developers choosing between these versions, 2.6.1 offers a more current ecosystem of testing and tooling, while the core async functionality remains consistent.
All the vulnerabilities related to the version 2.6.1 of the package
Prototype Pollution in async
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
