EJS (Embedded JavaScript templates) is a simple templating language that lets you generate HTML markup with plain JavaScript. Examining versions 2.5.7 and 2.5.8, developers will find a focused update. The core functionality and core dependencies remain consistent between the two, ensuring a smooth transition for existing users. The key change lies in the development dependencies.
Version 2.5.8 sees an update to the eslint dependency, moving from version 3.0.0 in 2.5.7 to ^4.14.0. This signifies an upgrade to the code linting rules and potentially stricter code quality enforcement during development. It implies the developers are committed to adhering to current JavaScript coding standards.
Furthermore, version 2.5.8 has an updated releaseDate which tells us it was released approximately eight months after 2.5.7. The dist object also includes new file metadata such as fileCount and unpackedSize. This provides insights into the package's structure and size for those concerned about dependencies' impact on their project's footprint - this can be valuable for performance and deployment considerations. While the core templating engine remains unchanged, this update ensures better code quality through updated linting rules and some new metadata about the package. Developers already using EJS can upgrade to 2.5.8 with confidence, benefiting from improved code maintainability and codebase consistency.
All the vulnerabilities related to the version 2.5.8 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
