search

11ty / eleventy

A simpler site generator. Transforms a directory of templates (of varying types) into HTML.
https://www.11ty.dev/
MIT License
17.07k stars 494 forks source link

Could you help update ejs in 0.12.2 release for @11ty/eleventy? #1932

Closed evansrobert closed 2 years ago

evansrobert commented 3 years ago

Hi, @zachleat, I'd like to report a vulnerability introduced by package ejs:

Issue Description

I noticed that a vulnerability is introduced in @11ty/eleventy@0.12.1: Vulnerability SNYK-JS-EJS-1049328 affects package ejs (versions:<3.1.6): https://snyk.io/vuln/SNYK-JS-EJS-1049328 The above vulnerable package is referenced by @11ty/eleventy@0.12.1 via: @11ty/eleventy@0.12.1 ➔ ejs@2.7.4

Since @11ty/eleventy@0.12.1 (15,045 downloads per week) is referenced by a large number of downstream projects (e.g., @cor-web/cor-design-system 0.1.77 (latest version), nucleum 5.3.4 (latest version), reslate 3.0.0-5 (latest version), @giddyup/cli 0.0.21 (latest version), eleventy-plugin-metagen 1.4.0 (latest version)), the vulnerability SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths: (1)@cor-web/cor-design-system@0.1.74 ➔ @11ty/eleventy@0.12.1 ➔ ejs@2.7.4 (2)@visual-framework/vf-component-library@1.1.12 ➔ @11ty/eleventy@0.12.1 ➔ ejs@2.7.4 ......

If @11ty/eleventy@0.12.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from @11ty/eleventy@0.12.1 ?

Fixing suggestions

In _@11ty/eleventy@0.12.2, maybe you can kindly try to perform the following upgrade : ejs ^2.7.4 ➔ ^3.1.6;

Note: ejs@3.1.6(>=3.1.6) has fixed the vulnerability SNYK-JS-EJS-1049328.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

zachleat commented 3 years ago

Major template engine bumps require an Eleventy major version bump. We definitely wouldn’t do a 0.12.2 for this. We could do a 0.13.x but that would still require semver opt-in (and relies on those weird pre 1.0 exceptions in semver that I don’t agree with)

That said, we did migrate to ejs 3.x for the impending Eleventy 1.0: https://github.com/11ty/eleventy/issues/1392

If ejs wants to issue a fix for this in their 2.x branch, that’d be the best way for Eleventy 0.x forward.

Open to pushback for a 0.13.x if some others weigh in.

pdehaan commented 3 years ago

I don't think I'd be opposed to 0.13.x release that only bumps ejs. I think it might depend on if you have an ETA for when v1 is released (weeks-vs-months).

But makes me wonder if we should reconsider https://github.com/11ty/eleventy/issues/1103 since it means you could modify engines plugins independently of having to bump Eleventy versions. Or if we release Eleventy v1 in a month, and then a week later LiquidJS updates to v10 and if that means we'd have to bump to Eleventy v2 (per "Major template engine bumps require an Eleventy major version bump.")

zachleat commented 3 years ago

If I had to guess there are 7 non-docs issues left on the milestone—I’d guess 2-4 weeks

kleinfreund commented 2 years ago

@zachleat @11ty/eleventy@1.0.1 uses ejs@3.1.6 (see https://github.com/11ty/eleventy/blob/v1.0.1/package.json) so I think this can be closed.

zachleat commented 2 years ago

Thanks @kleinfreund—yes! This somehow was left out of the release milestone but 1.0 does have ejs 3.x