please remvove jake as not needed in production - fixes CVE-2021-43138 #659
Comments
|
@mde I just made jakejs/jake#406 to avoid the CVE in |
|
@mceachen why is |
|
Please remove jake which will make ejs a "dependency free" module in prod mode. That will boost ejs weekly usage imo. |
|
@ahoisl thanks for the info. @mde I did a cursory read of the changes in #645 and they seem like a reasonable alternative to waiting for jakejs/jake#406.. |
|
Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue. |
|
jake has fixed their dependency jakejs/jake#411 |
You can just run |
using `npm audit fix`
|
Moving the CLI into another package, or at least using some lighter / more specialized dependency like commander or embedding the arg parser as suggested in the PR #645, could indeed be a good thing to do. Using Jake as a production dependency has also a direct impact on the package installation size that increased from 117 kB (3.0.2) to 541 kB (3.1.2) and 1.31 MB (3.1.7). As ejs is downloaded more than 10M times a week, increasing the package size by more than 10x makes a lot of difference globally in network and file system usage (even if yes, it's still a small dependency)! And it's even more unfortunate that more than 90% of the installation size is therefore linked to a secondary feature 😕.
|
FWIW, you didn't change the |
Due to the build only dependency "jake"" a multiple additional not needed dependencies are fetched into EJS.
Now latest version of jake depends on insecure async package (CVE-2021-43138).
Removing jake and restoring no-dep only state as old 2.x version of ejs will silence a lot of noise from different security scanner and people will not need to invest time checking if its really vulnerable or some whitelists needs to be updated.
OTOH whitelisting this vulnerability for ejs/jake will silence the alarm for other possible real threats/dependencies too and is not really an option...
Thanks in advance,
S. Seide
The text was updated successfully, but these errors were encountered: