Update jake dependency to avoid minimatch@3.0.4 snyk vulnerability

[tmbp95]

Hello, I'm currently using the latest ejs version (3.1.9) which points to the version of Jake 10.8.5 (https://github.com/mde/ejs/blob/v3.1.9/package.json#L25) Unfortunately, that version of Jake still uses minimatch@3.0.4 which is being pointed out by Snyk as a vulnerability.

path: ejs@3.1.9 › jake@10.8.5 › minimatch@3.0.4

I see that the jake package already updated its version to 10.8.7 and that version already updated the minimatch. Do you have any estimation or timeframe for the update to the new version of jake?

Thank you!

[AvvariSreedhar]

Hello @mde, the version of jake@10.8.5 being used has a dependency on minimatch@3.0.4 which has a vulnerability of CVSS score 7.5 as reported here and this was fixed with jake@10.8.7. Please let us know the plans to upgrade the package to latest to remedy the reported CVE (CVE-2022-3517). Thanks in advance.

+-- ejs@3.1.9
| `-- jake@10.8.5
|   +-- async@3.2.4
|   +-- chalk@4.1.2
|   | +-- ansi-styles@4.3.0
|   | | `-- color-convert@2.0.1
|   | |   `-- color-name@1.1.4
|   | `-- supports-color@7.2.0
|   |   `-- has-flag@4.0.0
|   +-- filelist@1.0.4
|   | `-- minimatch@5.1.0
|   |   `-- brace-expansion@2.0.1
|   |     `-- balanced-match@1.0.0 deduped
|   `-- minimatch@3.0.4
|     `-- brace-expansion@1.1.11
|       +-- balanced-match@1.0.0
|       `-- concat-map@0.0.1