fix(deps): bump ejs to 3.1.8 #764
Conversation
| @@ -47,7 +47,7 @@ | |||
| "@typescript-eslint/eslint-plugin": "^4.17.0", | |||
| "@typescript-eslint/parser": "^4.17.0", | |||
| "ts-jest": "^26.5.3", | |||
| "ts-node": "^9.1.1", | |||
| "ts-node": "^10.9.1", | |||
There was a problem hiding this comment.
@jamonholmgren this is a fix for the issue with CI happening in #763 (and all PRs I think). Let me know and I can split it out if you like.
|
@jamonholmgren we'll want to get this merged soon as it resolves issues on a freshly spun-up project.
|
|
If possible, update ejs to version 3.1.7 or higher as it is causing problems with windows powershell, by default powershell blocks execution of dependencies that have vulnerability and using script to bypass execution of vulnerable dependencies is not good for system security. thanks for the attention and compression 💜 |
|
Looking to see if we can get this merged and closed as well. We've got some workarounds in place but are looking forward to getting the vulnerability properly addressed. Thanks! |
|
Same here. Awaiting the fix for this vulnerability as well. Thanks much in advance! |
|
while |
|
Hey everyone, sorry about the long delay on this. Finally getting to cleanup of all PRs and issues. |
## [5.1.6](v5.1.5...v5.1.6) (2023-09-28) ### Bug Fixes * **deps:** bump ejs to 3.1.8 ([#764](#764) by [@bennetthardwick](https://github.com/bennetthardwick)) ([be2433b](be2433b))
|
🎉 This PR is included in version 5.1.6 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Currently when installing a CLI created with gluegun users will see a message saying "1 critical severity vulnerability" because of a vulnerability in ejs: GHSA-phwq-j96m-2c2q
While it's not likely this will cause an issue it might worry some people who install gluegun created CLIs.
This vulnerability is patched in [email protected] so bumping the version will get rid of this message.