EJS (Embedded JavaScript) is a simple templating engine that lets you generate HTML markup with plain JavaScript. Comparing versions 2.1.2 and 2.1.1 reveals minor changes, but understanding them can be essential for developers. Both versions share identical dependencies and development dependencies, including tools for testing (Mocha, Istanbul), task automation (Jake), minification (Uglify-js) and packaging for browsers (Browserify), showing a consistent focus on quality and compatibility across these releases and facilitating the integration in different environments. The license remains Apache-2.0, ensuring freedom in using and distributing the library. The core difference lies in the release date. Version 2.1.2 was published on January 11, 2015, at 20:16:56 UTC, whereas version 2.1.1 came out on the same day at 17:55:40 UTC. This indicates that version 2.1.2 likely includes bug fixes or minor enhancements addressed shortly after the initial release of 2.1.1. For developers, this means upgrading to version 2.1.2 is recommended as it likely offers a more stable and refined experience.
While the changelog for such a small update might be minimal, keeping dependencies up-to-date with the latest point releases like this is standard practice in software development. Both versions can be installed via npm, using the command npm install ejs@2.1.2 to get the newest of the two.
All the vulnerabilities related to the version 2.1.2 of the package
ejs is vulnerable to remote code execution due to weak input validation
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile()
function
ejs vulnerable to DoS due to weak input validation
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in ejs.renderFile()
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
mde ejs vulnerable to XSS
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile()
resulting in code injection
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).