Update to ejs v3 #46
Comments
|
I’ll take a look at updating it in due time. But note that |
|
@surma Thanks for your feedback. |
|
Should this issue be closed? It seems like the |
|
Oh it did indeed. lol. thank you |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,@surma @RReverser, I’d like to report a vulnerability introduced by package ejs:
Issue
A vulnerability is introduced in @surma/[email protected]:
Vulnerability SNYK-JS-EJS-1049328 is detected in package ejs (versions: <3.1.6): https://snyk.io/vuln/SNYK-JS-EJS-1049328
The above vulnerable package is referenced by @surma/[email protected] via:
1.
@acanto/[email protected] ➔ [email protected] ➔ [email protected] ➔ @surma/[email protected] ➔ [email protected]2.
@acpaas-ui/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ @surma/[email protected] ➔ [email protected]3.
@bentley/[email protected] ➔ [email protected] ➔ [email protected] ➔ @surma/[email protected] ➔ [email protected]Solution
Since @surma/[email protected] (1,619,886 downloads per week) is transitively referenced by 2,667 downstream projects (e.g., workbox-build 6.1.5 (latest version), workbox-webpack-plugin 6.1.5 (latest version), react-scripts 4.0.3 (latest version), next-offline 5.0.5 (latest version), @xdn/next 2.53.3 (latest version))
If @surma/[email protected].* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In @surma/[email protected].*, you can kindly perform the following upgrade :
ejs ^2.6.1 ➔3.1.6;Note:
[email protected](>=3.1.6) has fixed the vulnerability (SNYK-JS-EJS-1049328)
Thanks for your contributions to the downstream users!
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: