please remvove jake as not needed in production - fixes CVE-2021-43138

[dev-trilobyte]

Due to the build only dependency "jake"" a multiple additional not needed dependencies are fetched into EJS.
Now latest version of jake depends on insecure async package (CVE-2021-43138).
Removing jake and restoring no-dep only state as old 2.x version of ejs will silence a lot of noise from different security scanner and people will not need to invest time checking if its really vulnerable or some whitelists needs to be updated.

OTOH whitelisting this vulnerability for ejs/jake will silence the alarm for other possible real threats/dependencies too and is not really an option...

Thanks in advance,
S. Seide

[mceachen]

@mde I just made jakejs/jake#406 to avoid the CVE in jake, if you want to go that route.

[dotnetCarpenter]

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

[ahoisl]

@mceachen why is jake not a dev dependency? It seems that jake is used to built ejs and nothing else or is there some hidden built feature in ejs that I am not aware of?

It's apparently used for argument parsing in the CLI, see the discussion in #645

[kareha]

Please remove jake which will make ejs a "dependency free" module in prod mode. That will boost ejs weekly usage imo.
Implement a direct way for cli argument parsing if you need that.
I always prefer dep-free modules, because of exact this reason discussed here and ejs is very close to that :)

[dotnetCarpenter]

@ahoisl thanks for the info. @mde I did a cursory read of the changes in #645 and they seem like a reasonable alternative to waiting for jakejs/jake#406..

[beatfactor]

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

[trazeris]

jake has fixed their dependency jakejs/jake#411

[TobiasWehrum]

Published https://www.npmjs.com/package/@nightwatch/ejs to circumvent this issue.

You can just run npm audit fix to circumvent the issue.