Security vulnerability Template injection in ejs

[Skrigueztep]

Version

5.0.1

Environment info

System:
    OS: Windows 10 10.0.19042
    CPU: (16) x64 AMD Ryzen 7 4800H with Radeon Graphics
  Binaries:
    Node: 14.18.1 - D:\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.14.15 - D:\nodejs\npm.CMD
  Browsers:
    Chrome: Not Found
    Edge: Spartan (44.19041.1266.0), Chromium (101.0.1210.53)
  npmPackages:
    @fortawesome/vue-fontawesome: ^0.1.10 => 0.1.10
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1
    @vue/babel-helper-vue-transform-on:  1.0.2
    @vue/babel-plugin-jsx:  1.1.1
    @vue/babel-plugin-transform-vue-jsx:  1.2.1
    @vue/babel-preset-app:  5.0.1
    @vue/babel-preset-jsx:  1.2.4
    @vue/babel-sugar-composition-api-inject-h:  1.2.1
    @vue/babel-sugar-composition-api-render-instance:  1.2.4
    @vue/babel-sugar-functional-vue:  1.2.2
    @vue/babel-sugar-inject-h:  1.2.2
    @vue/babel-sugar-v-model:  1.2.3
    @vue/babel-sugar-v-on:  1.2.3
    @vue/cli-overlay:  5.0.1
    @vue/cli-plugin-babel: ^5.0.1 => 5.0.1
    @vue/cli-plugin-e2e-nightwatch: ^5.0.1 => 5.0.1
    @vue/cli-plugin-eslint: ^5.0.1 => 5.0.1
    @vue/cli-plugin-router: ^5.0.1 => 5.0.1
    @vue/cli-plugin-unit-jest: ^5.0.1 => 5.0.1
    @vue/cli-plugin-vuex: ^5.0.1 => 5.0.1
    @vue/cli-service: ^5.0.1 => 5.0.1
    @vue/cli-shared-utils:  5.0.1
    @vue/component-compiler-utils:  3.3.0
    @vue/eslint-config-airbnb: ^5.3.0 => 5.3.0
    @vue/test-utils: ^1.1.4 => 1.3.0
    @vue/vue2-jest: ^27.0.0-alpha.3 => 27.0.0-alpha.4
    @vue/web-component-wrapper:  1.3.0
    eslint-plugin-vue: ^7.14.0 => 7.20.0
    jest-serializer-vue:  2.0.2
    vue: ^2.6.12 => 2.6.14
    vue-axios: ^2.0.2 => 2.1.5
    vue-bem-generator: ^1.0.3 => 1.0.3
    vue-cc-input: ^0.1.22 => 0.1.22
    vue-cli-webpack:  1.0.0
    vue-eslint-parser:  7.11.0
    vue-hot-reload-api:  2.3.4
    vue-i18n: ^7.8.0 => 7.8.1
    vue-loader:  17.0.0 (15.9.8)
    vue-mask-directive: ^1.0.4 => 1.0.4
    vue-router: ^3.5.1 => 3.5.3
    vue-slick: ^1.1.16 => 1.1.16
    vue-style-loader:  4.1.3
    vue-svgicon: ^3.2.9 => 3.2.9
    vue-template-compiler: ^2.6.12 => 2.6.14
    vue-template-es2015-compiler:  1.9.1
    vue-ultra-sidenav: ^1.1.0 => 1.1.0
    vuejs-datepicker: ^1.5.4 => 1.6.2
    vuex: ^3.6.2 => 3.6.2
    vuex-router-sync: ^5.0.0 => 5.0.0
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

• create a new vue (2) project
• add @vue/cli-plugin-e2e-nightwatch dep
• execute npm audit

What is expected?

No vulnerabilities

What is actually happening?

Critical vulnerability with @vue/cli-plugin-e2e-nightwatch dep, produce by nightwatch dep

nightwatch dep has been solved issue updating ejs dep to v3.1.8, current package.json below:

https://github.com/nightwatchjs/nightwatch/blob/main/package.json

---

Please update nightwatch dep on @vue/cli-plugin-e2e-nightwatch package

[haoqunjiang]

Similar to #7164 (comment), reinstalling the dependencies will deliver you the latest version of nightwatch.