ejs version reported as having CVEs
plumdog opened this issue · 0 comments
plumdog commented
Github's dependency checker flagged CVE's based on the version of ejs in package.json (2.4.2):
which then links to:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000188
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000189
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000228
and tells me to upgrade to ebs >= 2.5.5.
As for whether bootstrap-sass is affected by these I'm not really sure. I'm not aware of what ejs actually gets used for. Although it is only included in devDependencies, I suppose in principle it could get included in some built files.
However, I think this is worth fixing regardless to remove the scary looking Github warning.