socket-security[bot]
commented
10 months ago Updated dependencies detected. Learn more about Socket for GitHub ↗︎
| Packages | Version | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|---|
| ejs | 2.6.2...3.1.9 | filesystem, shell, environment | +15/-0 |
2.27 MB | mde |
This PR contains the following updates:
^2.6.2->^3.0.0GitHub Vulnerability Alerts
CVE-2022-29078
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Release Notes
mde/ejs (ejs)
### [`v3.1.7`](https://togithub.com/mde/ejs/releases/tag/v3.1.7) [Compare Source](https://togithub.com/mde/ejs/compare/v3.1.6...v3.1.7) Version 3.1.7 ### [`v3.1.6`](https://togithub.com/mde/ejs/releases/tag/v3.1.6) [Compare Source](https://togithub.com/mde/ejs/compare/v3.1.5...v3.1.6) Version 3.1.6 ### [`v3.1.5`](https://togithub.com/mde/ejs/releases/tag/v3.1.5) Version 3.1.5 ### [`v3.1.3`](https://togithub.com/mde/ejs/compare/v3.1.2...v3.1.3) [Compare Source](https://togithub.com/mde/ejs/compare/v3.1.2...v3.1.3) ### [`v3.1.2`](https://togithub.com/mde/ejs/compare/v3.0.2...v3.1.2) [Compare Source](https://togithub.com/mde/ejs/compare/v3.0.2...v3.1.2) ### [`v3.0.2`](https://togithub.com/mde/ejs/compare/v3.0.1...v3.0.2) [Compare Source](https://togithub.com/mde/ejs/compare/v3.0.1...v3.0.2) ### [`v3.0.1`](https://togithub.com/mde/ejs/compare/v2.7.4...v3.0.1) [Compare Source](https://togithub.com/mde/ejs/compare/v2.7.4...v3.0.1) ### [`v2.7.4`](https://togithub.com/mde/ejs/releases/tag/v2.7.4) [Compare Source](https://togithub.com/mde/ejs/compare/v2.7.3...v2.7.4) ##### Bug fixes - Fixed Node 4 support, which broke in v2.7.3 (https://github.com/mde/ejs/commit/5e42d6cef15ae6f2c7d29ef55a455e8e49b5e76e, [@mde](https://togithub.com/mde)) ### [`v2.7.3`](https://togithub.com/mde/ejs/releases/tag/v2.7.3) [Compare Source](https://togithub.com/mde/ejs/compare/v2.7.2...v2.7.3) ##### Bug fixes - Made the post-install message more discreet by following the example of [opencollective-postinstall](https://togithub.com/opencollective/opencollective-postinstall) (https://github.com/mde/ejs/commit/228d8e45b7ced2afd3e596c13d44aed464e57e43, [@mde](https://togithub.com/mde)) ### [`v2.7.2`](https://togithub.com/mde/ejs/releases/tag/v2.7.2) [Compare Source](https://togithub.com/mde/ejs/compare/v2.7.1...v2.7.2) ##### Features - Added support for destructuring locals ([#452](https://togithub.com/mde/ejs/issues/452), [@ExE-Boss](https://togithub.com/ExE-Boss)) - Added support for disabling legacy `include` directives ([#458](https://togithub.com/mde/ejs/issues/458), [#459](https://togithub.com/mde/ejs/issues/459), [@ExE-Boss](https://togithub.com/ExE-Boss)) - Compiled functions are now shown in the debugger ([#456](https://togithub.com/mde/ejs/issues/456), [@S2-](https://togithub.com/S2-)) - `function.name` is now set to the file base name in environments that support this ([#466](https://togithub.com/mde/ejs/issues/466), [@ExE-Boss](https://togithub.com/ExE-Boss)) ##### Bug Fixes - The error message when `async != true` now correctly mention the existence of the `async` option ([#460](https://togithub.com/mde/ejs/issues/460), [@ExE-Boss](https://togithub.com/ExE-Boss)) - Improved performance of HTML output generation ([#470](https://togithub.com/mde/ejs/issues/470), [@nwoltman](https://togithub.com/nwoltman)) ### [`v2.7.1`](https://togithub.com/mde/ejs/releases/tag/v2.7.1) [Compare Source](https://togithub.com/mde/ejs/compare/v2.6.2...v2.7.1) ##### Deprecated: - Added deprecation notice for use of `require.extensions` ([@mde](https://togithub.com/mde))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.