Closed mlvandijk closed 1 year ago
First, our code is not affected by the security issue.
https://github.com/mde/ejs/blob/main/CHANGELOG.md#v301-2019-11-23
Here is the CHANGELOG, which one would need to read to know whether the Snyk-suggested commit is reasonable.
Seems small, but I'd need to peek at these
Removed require.extensions Removed legacy preprocessor include Removed support for EOL Nodes 4 and 6
The last one, that seeeeeems to be in use, in https://github.com/cucumber/commitbit/blob/master/serverless.yml.template But I guess updating to a newer Node is only a number there.
(PS: Sorry GitHub user mde, for any notifications caused. Not intended, have a nice day!)
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 4.1
SNYK-JS-EJS-1049328
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information: 🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic