EJS (Embedded JavaScript templates) offers a simple way to generate HTML markup with plain JavaScript. Comparing versions 2.7.3 and 2.7.2, developers will find minimal changes on the surface, primarily revolving around internal package details. Both versions maintain the same core functionality for server-side templating. The key difference lies in the dist object, which describes the distribution package. Version 2.7.3 features a minor change, increasing the fileCount from 10 to 11 and the unpackedSize from 128760 to 128813 bytes. This version was released on November 19th, 2019, while 2.7.2 was released on November 13th, 2019, indicating a very quick succession of releases, likely for a minor bug fix or packaging adjustment. Both versions share the same dependencies and development dependencies, including tools like jake for build automation, jsdoc for documentation generation, mocha for testing, eslint for code linting, and browserify for browser bundling. The core features of EJS, such as dynamic content injection, control flow with JavaScript logic within templates, and various template delimiters, remain consistent between these versions. Developers can confidently upgrade from 2.7.2 to 2.7.3 without expecting any breaking changes in the core templating behavior, and benefit of bug fixes. The upgrade should be seamless and without requiring immediate code adjustments.
All the vulnerabilities related to the version 2.7.3 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
