Skip to content

Commit 06905e9

Browse files
Vinayak Guptameta-codesync[bot]
authored andcommitted
Bump ejs to ^3.1.10 to fix CVE-2024-33883
Summary: Upgrade ejs dependency in node/package.json from ^2.4.2 to ^3.1.10 to remediate GHSA-ghr5-ch3p-vcr6 (CVE-2024-33883), a medium-severity prototype pollution vulnerability in ejs < 3.1.10. The app only uses ejs as an Express view engine (app.set + res.render), which is fully compatible with ejs 3.x — no code changes required. Reviewed By: shreeshyadav Differential Revision: D99690816 fbshipit-source-id: a0107d92515d3bdc20a38e36e3247f722dfe0962
1 parent d7f655d commit 06905e9

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

node/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
"dependencies": {
1818
"body-parser": "^1.15.0",
1919
"config": "^1.20.4",
20-
"ejs": "^2.4.2",
20+
"ejs": "^3.1.10",
2121
"express": "^4.13.4",
2222
"request": "^2.72.0"
2323
},

0 commit comments

Comments
 (0)