Closed Cogneter closed 2 years ago
Will take a look soon!
Hey @jamonholmgren, I'm kindly requesting a release with this fix as soon as you get a chance. Thanks in advance!
@jamonholmgren - also asking for a release with this fix please, thank you!
This got closed but not merged. Any reason? https://github.com/advisories/GHSA-phwq-j96m-2c2q is rated critical.
In the meantime, I'm addressing this vulnerability using using yarn resolutions, in case it helps anyone else. A useful temporary fix, especially if you are looking to address security advisories (such as Dependabot).
"dependencies": {
"gluegun": "^5.1.2"
},
"resolutions": {
"ejs": "3.1.7"
},
https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/
The new version is required to fix template injection vulnerability in ejs https://github.com/advisories/GHSA-phwq-j96m-2c2q.