build: update dependency ejs to v6#3704
Conversation
See associated pull request for more information.
angular-robot
added
action: merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the ejs dependency from version 5.0.2 to 6.0.1 in package.json and the lockfile. However, a critical security review points out that the official ejs package has only been released up to version 3.1.x. Using versions 5.x or 6.x is highly likely to be a supply chain attack or typosquatting attempt. It is strongly recommended to revert this change and downgrade to a stable, official version such as 3.1.10.
| "conventional-commits-filter": "5.0.0", | ||
| "conventional-commits-parser": "6.4.0", | ||
| "ejs": "5.0.2", | ||
| "ejs": "6.0.1", |
There was a problem hiding this comment.
Critical Security Warning: The official ejs package (https://github.com/mde/ejs) has only been released up to version 3.1.x. There are no official 5.x or 6.x versions of ejs on the public npm registry. Using ejs version 6.0.1 (or the previous 5.0.2) is highly likely to be a supply chain attack, dependency confusion, or typosquatting attempt. Please revert this change immediately and verify the authenticity of the package source. It is recommended to downgrade to the latest stable and official version of ejs (e.g., 3.1.10).
| "ejs": "6.0.1", | |
| "ejs": "3.1.10", |
1 participant
This PR contains the following updates:
5.0.2→6.0.1Release Notes
mde/ejs (ejs)
v6.0.1Compare Source
Version 6.0.1