Changed ejs dependency version to 3.1.7. #759

Cogneter · 2022-05-08T06:26:20Z

The new version is required to fix template injection vulnerability in ejs GHSA-phwq-j96m-2c2q.

jamonholmgren · 2022-05-10T02:28:32Z

Will take a look soon!

Mashbourne1 · 2022-05-13T22:00:26Z

Hey @jamonholmgren, I'm kindly requesting a release with this fix as soon as you get a chance. Thanks in advance!

ThomasDRT · 2022-06-03T14:38:17Z

@jamonholmgren - also asking for a release with this fix please, thank you!

thompsonsj · 2022-06-15T16:18:36Z

This got closed but not merged. Any reason? GHSA-phwq-j96m-2c2q is rated critical.

In the meantime, I'm addressing this vulnerability using using yarn resolutions, in case it helps anyone else. A useful temporary fix, especially if you are looking to address security advisories (such as Dependabot).

"dependencies": {
  "gluegun": "^5.1.2"
},
"resolutions": {
  "ejs": "3.1.7"
},

https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/

Changed ejs dependency version to 3.1.7.

80974fa

The new version is required to fix template injection vulnerability in ejs GHSA-phwq-j96m-2c2q.

Cogneter mentioned this pull request May 8, 2022

Please update "ejs": Security vulnerability, template injection. #758

Open

This pull request was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Changed ejs dependency version to 3.1.7. #759

Changed ejs dependency version to 3.1.7. #759

Cogneter commented May 8, 2022

jamonholmgren commented May 10, 2022

Mashbourne1 commented May 13, 2022

ThomasDRT commented Jun 3, 2022

thompsonsj commented Jun 15, 2022

Changed ejs dependency version to 3.1.7. #759

Changed ejs dependency version to 3.1.7. #759

Conversation

Cogneter commented May 8, 2022

jamonholmgren commented May 10, 2022

Mashbourne1 commented May 13, 2022

ThomasDRT commented Jun 3, 2022

thompsonsj commented Jun 15, 2022