[Snyk] Security upgrade ejs from 2.5.6 to 3.1.6

[mlvandijk]

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • yarn.lock

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	598/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[olleolleolle]

First, our code is not affected by the security issue.

https://github.com/mde/ejs/blob/main/CHANGELOG.md#v301-2019-11-23

Here is the CHANGELOG, which one would need to read to know whether the Snyk-suggested commit is reasonable.

Seems small, but I'd need to peek at these

Removed require.extensions Removed legacy preprocessor include Removed support for EOL Nodes 4 and 6

The last one, that seeeeeems to be in use, in https://github.com/cucumber/commitbit/blob/master/serverless.yml.template But I guess updating to a newer Node is only a number there.

(PS: Sorry GitHub user mde, for any notifications caused. Not intended, have a nice day!)

---