EJS (Embedded JavaScript templates) saw a version bump from 2.7.4 to 3.0.1, marking a shift that developers should be aware of. Both versions share the same core purpose: embedding JavaScript within templates to generate dynamic HTML. They also maintain identical development dependencies, including tools like Jake for building, JSDoc for documentation, Mocha for testing, ESLint for code linting, LRU-cache for caching, Uglify-js for minification, Browserify for module bundling, and git-directory-deploy for deployment. The license remains Apache-2.0, and the repository and author information are unchanged. However, digging deeper reveals subtle yet important differences.
The most apparent difference is the version number itself, signaling potential API changes, bug fixes, or performance improvements. A key indicator is the dist object, specifically the unpackedSize. Version 3.0.1 has a smaller footprint at 118237 bytes compared to version 2.7.4's 128813 bytes. This suggests possible code optimization or removal of unnecessary elements, potentially leading to faster load times and improved performance for applications using the library. The release date also highlights the recency of version 3.0.1, indicating a greater likelihood of incorporating recent bug fixes and security patches. Developers should carefully review the changelog for version 3.0.1 to understand the specific changes and ensure compatibility with their existing codebases.
All the vulnerabilities related to the version 3.0.1 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
