please remvove jake as not needed in production - fixes CVE-2021-43138

Question

please remvove jake as not needed in production - fixes CVE-2021-43138

Opened this issue 3 years ago · 10 comments

Due to the build only dependency "jake"" a multiple additional not needed dependencies are fetched into EJS.
Now latest version of jake depends on insecure async package (CVE-2021-43138).
Removing jake and restoring no-dep only state as old 2.x version of ejs will silence a lot of noise from different security scanner and people will not need to invest time checking if its really vulnerable or some whitelists needs to be updated.

OTOH whitelisting this vulnerability for ejs/jake will silence the alarm for other possible real threats/dependencies too and is not really an option...

Thanks in advance,
S. Seide

Answer 1 · 2022-04-07T20:34:10.000Z

@mde I just made jakejs/jake#406 to avoid the CVE in jake, if you want to go that route.

Answer 2 · 2022-04-09T19:03:52.000Z

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

Answer 3 · 2022-04-13T07:00:32.000Z

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

It's apparently used for argument parsing in the CLI, see the discussion in #645

Answer 4 · 2022-04-13T13:59:39.000Z

Please remove jake which will make ejs a "dependency free" module in prod mode. That will boost ejs weekly usage imo.
Implement a direct way for cli argument parsing if you need that.
I always prefer dep-free modules, because of exact this reason discussed here and ejs is very close to that :)

Answer 5 · 2022-04-15T19:49:13.000Z

@ahoisl thanks for the info. @mde I did a cursory read of the changes in #645 and they seem like a reasonable alternative to waiting for jakejs/jake#406..

Answer 6 · 2022-04-20T08:26:52.000Z

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

Answer 7 · 2022-04-20T11:55:23.000Z

jake has fixed their dependency jakejs/jake#411

Answer 8 · 2022-04-20T15:01:02.000Z

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

You can just run npm audit fix to circumvent the issue.

Answer 9 · 2022-09-18T14:55:44.000Z

Moving the CLI into another package, or at least using some lighter / more specialized dependency like commander or embedding the arg parser as suggested in the PR #645, could indeed be a good thing to do.

Using Jake as a production dependency has also a direct impact on the package installation size that increased from 117 kB (3.0.2) to 541 kB (3.1.2) and 1.31 MB (3.1.7). As ejs is downloaded more than 10M times a week, increasing the package size by more than 10x makes a lot of difference globally in network and file system usage (even if yes, it's still a small dependency)!

And it's even more unfortunate that more than 90% of the installation size is therefore linked to a secondary feature 😕.

Answer 10 · 2022-09-18T19:15:14.000Z

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

FWIW, you didn't change the repository metadata in your package.json for your forked version--it's still pointing to this repo.