gluegun icon indicating copy to clipboard operation
gluegun copied to clipboard

Published 20 hours ago verified publisher icon infinitered

Please update "ejs": Security vulnerability, template injection.

Open Mashbourne1 opened this issue 3 years ago • 5 comments

After running the npm audit, the report shows 2 high-security vulnerabilities for version 3.1.6 of ejs that gluegun depends on. It requires version ^3.1.7

npm audit report

ejs <3.1.7 Severity: high Template injection in ejs -https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/ejs gluegun >=0.3.0 Depends on vulnerable versions of ejs node_modules/gluegun

2 high severity vulnerabilities

Mashbourne1 avatar Apr 29 '22 15:04 Mashbourne1

I second that. Please update gluegun's ejs dependency version to 3.1.7.

Added a pull request for that: https://github.com/infinitered/gluegun/pull/759

Cogneter avatar May 08 '22 06:05 Cogneter

Hey folks, Any plans to merge the PR? its been a while

sidwebworks avatar May 08 '22 12:05 sidwebworks

Also looking for this PR to get merged, if we can please.

ThomasDRT avatar Jun 06 '22 19:06 ThomasDRT

Hi folks, this high-security vulnerability still exists. Is it possible we can have the ejs dependency updated to 3.1.7 soon?

Please note that the pull request #759 made for it was closed without a release.

Mashbourne1 avatar Aug 11 '22 18:08 Mashbourne1

Not sure why the original was closed but I've opened #764 to bump ejs to 3.1.8.

bennetthardwick avatar Aug 29 '22 06:08 bennetthardwick