Update dependency ejs to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ejs	^2.5.6 -> ^3.1.10

GitHub Vulnerability Alerts

CVE-2022-29078

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

CVE-2024-33883

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

---

Release Notes

mde/ejs (ejs)

v3.1.10

Compare Source

Version 3.1.10

v3.1.9

Compare Source

Version 3.1.9

v3.1.8

Compare Source

Version 3.1.8

v3.1.7

Compare Source

Version 3.1.7

v3.1.6

Compare Source

Version 3.1.6

v3.1.5

Version 3.1.5

v3.1.3

Compare Source

v3.1.2

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v2.7.4

Compare Source

Bug fixes

• Fixed Node 4 support, which broke in v2.7.3 (mde/ejs@5e42d6c, @​mde)

v2.7.3

Compare Source

Bug fixes

• Made the post-install message more discreet by following the example of opencollective-postinstall (mde/ejs@228d8e4, @​mde)

v2.7.2

Compare Source

Features

• Added support for destructuring locals (#​452, @​ExE-Boss)
• Added support for disabling legacy include directives (#​458, #​459, @​ExE-Boss)
• Compiled functions are now shown in the debugger (#​456, @​S2-)
• function.name is now set to the file base name in environments that support this (#​466, @​ExE-Boss)

Bug Fixes

• The error message when async != true now correctly mention the existence of the async option (#​460, @​ExE-Boss)
• Improved performance of HTML output generation (#​470, @​nwoltman)

v2.7.1

Compare Source

Deprecated:

• Added deprecation notice for use of require.extensions (@​mde)

v2.6.2

Compare Source

• Correctly pass custom escape function to includes (@​alecgibson)

  • Fixes for rmWhitespace (@​nwoltman)
  • Examples for client-side EJS compiled with Express middleware (@​mjgs)
  • Make Template constructor public (@​ThisNameWasTaken)
  • Added remove function to cache (@​S2-)
  • Recognize both 'Nix and Windows absolute paths (@​mde)

v2.6.1

Compare Source

v2.5.9

Compare Source

v2.5.8

Compare Source

• Add filename to error when include file cannot be found (@​Leon)
• Node v9 in CI (@​Thomas)

• Fixed special case for Express caching (@​mde)

• Added Promise/async-await support to renderFile (@​mde)
• Added notes on IDE support to README (@​Betanu701)

v2.5.7

Compare Source

• Pass configured escape function to rethrow (@​straker)

• Added vulnerabilities info into README (@​mde)

• Avoid creating function object in hot execution path (@​User4martin)

• Added benchmark (@​User4martin)
• Tests for looped includes (@​User4martin)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.