EJS (Embedded JavaScript) is a simple templating engine that lets you generate HTML markup with plain JavaScript. Comparing versions 2.6.2 and 2.6.1, both share the same core architecture, dependencies like development tools for linting (eslint), testing (mocha, Istanbul) and documentation (jsdoc) using the same versions. The license remains Apache-2.0, ensuring open-source use. The packages are maintained by Matthew Eernisse, with the source code hosted on GitHub.
The notable differences lie in the release date and unpacked size. Version 2.6.2 was released on June 15, 2019, while 2.6.1 came out on May 5, 2018. There is an increase in the unpacked size of version 2.6.2 to 121906 versus 120006 of version 2.6.1, which might indicate minor bug fixes, performance improvements, or subtle feature enhancements made between these versions. While specific change logs aren't provided in this data, developers should consider this newest version for potential stability and improvements. Developers should always refer to changelogs, commit logs, or update documentations for detailed list of bug fixes and newest features to verify if the latest release suits their project needs. Both versions include ten files in the distributed package and use the same suite of developer dependencies, implying a consistent development and testing process.
All the vulnerabilities related to the version 2.6.2 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
