EJS (Embedded JavaScript) templates offer a straightforward way to generate dynamic HTML on the server-side or client-side, providing a clean syntax for embedding JavaScript logic within HTML structures. Comparing versions 2.7.2 and 2.7.1, we see subtle but potentially important differences. Both versions maintain the same core functionality with no listed changes in their dependencies, signifying API stability for developers relying on EJS templates. The devDependencies show almost identical tools for development, testing and building, with the key difference being an update to jake from version ^8.0.16 to ^10.3.1. This suggest possible upgrades in the build or test process.
Developers should note the size and release date differences: version 2.7.2, released on November 13, 2019 and with a size of 128760, is slightly larger than version 2.7.1, released on September 2, 2019 and with 122099. This increase in size indicates potential bug fixes, performance improvements, or minor feature additions within the templating engine. While the core functionality remains the same, upgrading to 2.7.2 is recommended to benefit from the latest improvements and potential security patches. Both versions utilize the Apache-2.0 license, ensuring both versions are suitable for most commercial and open-source projects.
All the vulnerabilities related to the version 2.7.2 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
