yulolimum
commented
1 year ago @jamonholmgren we'll want to get this merged soon as it resolves issues on a freshly spun-up project.
Closed bennetthardwick closed 9 months ago
yulolimum
commented
1 year ago @jamonholmgren we'll want to get this merged soon as it resolves issues on a freshly spun-up project.
ravenastar-js
commented
1 year ago If possible, update ejs to version 3.1.7 or higher as it is causing problems with windows powershell, by default powershell blocks execution of dependencies that have vulnerability and using script to bypass execution of vulnerable dependencies is not good for system security. thanks for the attention and compression 💜
ThomasDRT
commented
1 year ago Looking to see if we can get this merged and closed as well. We've got some workarounds in place but are looking forward to getting the vulnerability properly addressed. Thanks!
Mashbourne1
commented
1 year ago Same here. Awaiting the fix for this vulnerability as well. Thanks much in advance!
danstepanov
commented
1 year ago while ejs is no longer a dependency, the change to ts-node resolves this issue for me, thanks
jamonholmgren
commented
9 months ago Hey everyone, sorry about the long delay on this. Finally getting to cleanup of all PRs and issues.
infinitered-circleci
commented
9 months ago :tada: This PR is included in version 5.1.6 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Currently when installing a CLI created with gluegun users will see a message saying "1 critical severity vulnerability" because of a vulnerability in ejs: https://github.com/advisories/GHSA-phwq-j96m-2c2q
While it's not likely this will cause an issue it might worry some people who install gluegun created CLIs.
This vulnerability is patched in ejs@3.1.7 so bumping the version will get rid of this message.