Open Mashbourne1 opened 2 years ago
I second that. Please update gluegun's ejs dependency version to 3.1.7.
Added a pull request for that: https://github.com/infinitered/gluegun/pull/759
Hey folks, Any plans to merge the PR? its been a while
Also looking for this PR to get merged, if we can please.
Hi folks, this high-security vulnerability still exists. Is it possible we can have the ejs dependency updated to 3.1.7 soon?
Please note that the pull request #759 made for it was closed without a release.
Not sure why the original was closed but I've opened #764 to bump ejs to 3.1.8.
After running the npm audit, the report shows 2 high-security vulnerabilities for version 3.1.6 of ejs that gluegun depends on. It requires version ^3.1.7
npm audit report
ejs <3.1.7 Severity: high Template injection in ejs -https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via
npm audit fix --force
Will install gluegun@0.0.1, which is a breaking change node_modules/ejs gluegun >=0.3.0 Depends on vulnerable versions of ejs node_modules/gluegun2 high severity vulnerabilities