EJS (Embedded JavaScript templates) saw a significant update moving from version 3.0.2 to 3.1.2. While both maintain the core function of providing embedded JavaScript templating, crucial for dynamic content generation in web applications, several changes occurred. A notable difference is the introduction of a dependency on the jake build tool in version 3.1.2, specifying a version requirement of ^10.6.1. This suggests alterations in the build process or task automation since jake was already a dev dependency. Developers integrating EJS should verify version compatibility with older build setups.
The devDependencies also show updated versions. Notably, eslint jumped from 4.14.0 to 6.8.0 , mocha went to 7.1.1 from 5.0.5, and jsdoc moved from 3.4.0 to 3.6.4, indicating improvements in code linting, testing, and documentation generation respectively. browserify also saw a bump from 13.1.1 to 16.5.1. No dependency means a bit less bloat for the final install, but the new version seems to need the jake dependency to achieve its goals. The increased unpackedSize which grew from 118,654 to 127,388, and fileCount increasing from 11 to 13, likely reflects added features, updated documentation, or build script changes. The releases were approximately a month apart in Spring of 2020, making it likely the changes reflect iterative improvements. For developers, upgrading involves testing for compatibility with the new jake dependency and the updated tooling.
All the vulnerabilities related to the version 3.1.2 of the package
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
