Changed ejs dependency version to 3.1.7.

infinitered / gluegun

A delightful toolkit for building TypeScript-powered command-line apps.

MIT License

2.93k stars 147 forks source link

Changed ejs dependency version to 3.1.7. #759

Closed Cogneter closed 2 years ago

Cogneter commented 2 years ago

The new version is required to fix template injection vulnerability in ejs https://github.com/advisories/GHSA-phwq-j96m-2c2q.

jamonholmgren commented 2 years ago

Will take a look soon!

Mashbourne1 commented 2 years ago

Hey @jamonholmgren, I'm kindly requesting a release with this fix as soon as you get a chance. Thanks in advance!

ThomasDRT commented 2 years ago

@jamonholmgren - also asking for a release with this fix please, thank you!

thompsonsj commented 2 years ago

This got closed but not merged. Any reason? https://github.com/advisories/GHSA-phwq-j96m-2c2q is rated critical.

In the meantime, I'm addressing this vulnerability using using yarn resolutions, in case it helps anyone else. A useful temporary fix, especially if you are looking to address security advisories (such as Dependabot).

"dependencies": {
  "gluegun": "^5.1.2"
},
"resolutions": {
  "ejs": "3.1.7"
},

https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/