frontend-build: critical security vulnerability needs ejs update (via webpack-bundle-analyzer)

openedx / wg-frontend

Open edX Frontend Working Group

4 stars 1 forks source link

frontend-build: critical security vulnerability needs ejs update (via webpack-bundle-analyzer) #106

Closed dianekaplan closed 2 years ago

dianekaplan commented 2 years ago

Critical: Template injection in ejs
Patched in ejs version >=3.1.7
dependency chain: @edx/frontend-build > webpack-bundle-analyzer > ejs
more info: https://github.com/advisories/GHSA-phwq-j96m-2c2q

It looks like frontend-build currently uses webpack-bundle-analyzer 3.9.0, which only uses ejs version 2.7.4. (We need to update webpack-bundle-analyzer to a version that uses ejs >=3.1.7).

arbrandes commented 2 years ago

Done via another dependency upgrade PR.

pshiu commented 1 year ago

This was done via https://github.com/openedx/frontend-build/pull/248