EJS (Embedded JavaScript templates) offers developers a simple way to generate HTML markup with plain JavaScript. Comparing versions 2.7.4 and 2.7.3, one primary difference is the introduction of an "author" field in the newer version, fully declaring the author's name (Matthew Eernisse) and contact information (email and URL).
While the core functionality and declared dependencies remain constant, a key change lies in the development dependencies. Version 2.7.3 included istanbul for code coverage reporting, while version 2.7.4 replaced this with eslint to lint the code.
Furthermore, the newer version has a new relaseDate and also includes the dist property, which contains essential package distribution details like the tarball URL, fileCount, and unpackedSize, offering insights into the package's size and accessibility. From here, developers can know that the package only contains 11 files and that it weights 128KB.
For developers considering EJS, both versions provide identical templating capabilities, and offer efficient server-side rendering. The shift in development dependencies from istanbul to eslint in version 2.7.4 suggests a focus on code quality, maintainability, and security. The dist property is a good feature for developers because it allows them to quickly inspect a package's metadata.
All the vulnerabilities related to the version 2.7.4 of the package
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
