Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

please remvove jake as not needed in production - fixes CVE-2021-43138 #659

Open
dev-trilobyte opened this issue Apr 7, 2022 · 10 comments

Comments

@dev-trilobyte
Copy link

Due to the build only dependency "jake"" a multiple additional not needed dependencies are fetched into EJS.
Now latest version of jake depends on insecure async package (CVE-2021-43138).
Removing jake and restoring no-dep only state as old 2.x version of ejs will silence a lot of noise from different security scanner and people will not need to invest time checking if its really vulnerable or some whitelists needs to be updated.

OTOH whitelisting this vulnerability for ejs/jake will silence the alarm for other possible real threats/dependencies too and is not really an option...

Thanks in advance,
S. Seide

@mceachen
Copy link

mceachen commented Apr 7, 2022

@mde I just made jakejs/jake#406 to avoid the CVE in jake, if you want to go that route.

@dotnetCarpenter
Copy link

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

@ahoisl
Copy link

ahoisl commented Apr 13, 2022

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

It's apparently used for argument parsing in the CLI, see the discussion in #645

@kareha
Copy link

kareha commented Apr 13, 2022

Please remove jake which will make ejs a "dependency free" module in prod mode. That will boost ejs weekly usage imo.
Implement a direct way for cli argument parsing if you need that.
I always prefer dep-free modules, because of exact this reason discussed here and ejs is very close to that :)

@dotnetCarpenter
Copy link

@ahoisl thanks for the info. @mde I did a cursory read of the changes in #645 and they seem like a reasonable alternative to waiting for jakejs/jake#406..

@beatfactor
Copy link

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

@trazeris
Copy link

trazeris commented Apr 20, 2022

jake has fixed their dependency jakejs/jake#411

@TobiasWehrum
Copy link

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

You can just run npm audit fix to circumvent the issue.

ShlomoCode added a commit to ShlomoCode/rss-tracker that referenced this issue May 1, 2022
@GaelGirodon
Copy link

Moving the CLI into another package, or at least using some lighter / more specialized dependency like commander or embedding the arg parser as suggested in the PR #645, could indeed be a good thing to do.

Using Jake as a production dependency has also a direct impact on the package installation size that increased from 117 kB (3.0.2) to 541 kB (3.1.2) and 1.31 MB (3.1.7). As ejs is downloaded more than 10M times a week, increasing the package size by more than 10x makes a lot of difference globally in network and file system usage (even if yes, it's still a small dependency)!

And it's even more unfortunate that more than 90% of the installation size is therefore linked to a secondary feature 😕.

packagephobia-ejs

@mceachen
Copy link

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

FWIW, you didn't change the repository metadata in your package.json for your forked version--it's still pointing to this repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants