EJS (Embedded JavaScript templates) saw a minor version update from 2.5.6 to 2.5.7, representing a refinement in this popular templating engine. Both versions share the same core functionality, providing a simple way to generate dynamic HTML markup with plain JavaScript. Developers familiar with version 2.5.6 will find a seamless transition to version 2.5.7, since all dependencies and development tools like jake, jsdoc, mocha, eslint, istanbul, lru-cache, uglify-js, browserify and git-directory-deploy remains identical. The license and repository details are also unchanged, showing a commitment of the author Matthew Eernisse to the Apache-2.0 open source license and maintenance.
The key difference between the two versions lies in the release date. Version 2.5.6 was published on February 16, 2017, while version 2.5.7 arrived on July 30, 2017. This time difference suggests that version 2.5.7 includes bug fixes, minor improvements, or security updates released after version 2.5.6. While the precise nature of these changes isn't explicitly detailed in the provided data, users should always prefer the newer version to benefit from the latest enhancements. Users leveraging EJS for server-side rendering or client-side templating in their web applications should upgrade to version 2.5.7 for the most up-to-date and stable experience. The core usage patterns and syntaxes remain consistent, ensuring minimal disruption to existing codebases.
All the vulnerabilities related to the version 2.5.7 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
