As for whether bootstrap-sass is affected by these I'm not really sure. I'm not aware of what ejs actually gets used for. Although it is only included in devDependencies, I suppose in principle it could get included in some built files.
However, I think this is worth fixing regardless to remove the scary looking Github warning.
Github's dependency checker flagged CVE's based on the version of ejs in package.json (2.4.2):
which then links to:
and tells me to upgrade to ebs >= 2.5.5.
As for whether bootstrap-sass is affected by these I'm not really sure. I'm not aware of what ejs actually gets used for. Although it is only included in
devDependencies
, I suppose in principle it could get included in some built files.However, I think this is worth fixing regardless to remove the scary looking Github warning.