Async version 3.0.0 and 2.6.4 represent key iterations in this popular JavaScript utility library designed to simplify asynchronous programming. A notable shift between these versions is in their dependencies. Async 3.0.0 eliminates the direct dependency on Lodash, reducing the overall bundle size and potentially improving performance by avoiding the overhead related to Lodash. Instead, version 3.0.0 has zero dependencies to its name. This may be an advantage for developers looking for lightweight solutions. On the other hand, version 2.6.4, which uses Lodash, might offer a more familiar API surface for Lodash users benefiting from the utility functions readily available within async operations.
The devDependencies lists are extensive in both versions, showcasing a commitment to robust testing and development practices. Developers can be assured of the library's reliability due to the rich array of testing frameworks, linting tools, and build processes employed, including Mocha for testing, ESLint for code quality, and Rollup for bundling. Moreover, libraries for browser testing like Karma are included. While the core functionality remains consistent, the development environment evolved, evidenced by updates in specific tools like ESlint (version upgrade from 2.13.1 to 4.19.1). Ultimately, the choice between v2.6.4 and v3.0.0 hinges on factors such as dependency aversion, weight, and the need for Lodash in your asynchronous workflows. The library remains a valuable tool for managing complex asynchronous operations in JavaScript environments.
All the vulnerabilities related to the version 3.0.0 of the package
Prototype Pollution in async
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
