Skip to content

root - chore: upgrade ejs to v6 (breaking)#384

Merged
jaredwray merged 1 commit into
mainfrom
claude/ecto-dependency-maintenance-n8yajd
Jun 25, 2026
Merged

root - chore: upgrade ejs to v6 (breaking)#384
jaredwray merged 1 commit into
mainfrom
claude/ecto-dependency-maintenance-n8yajd

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Summary

Upgrade the EJS template engine across a major version. First runtime-phase PR.

Versions

  • ejs 5.0.26.0.1

Tests

  • pnpm build passes
  • pnpm test passes (239 tests, 100% coverage) — no code changes required

Breaking notes

ejs 6 is primarily a packaging + security major; ecto's EJS engine uses the stable ejs.render(source, data, opts) API, which is unchanged.

  • Dual ESM/CJS packaging: ejs now ships proper separate lib/esm and lib/cjs builds. The old dual-mode shim (module.exports = ejs inside the ESM source) that modern ESM bundlers / Bun / Deno treated as malformed has been removed. This is strictly better for ecto, which is an ESM-only package.
  • Prototype-pollution mitigation (new default): template identifiers no longer resolve through the locals object's prototype chain. Consumers who pass class instances / Object.create(...) locals and rely on inherited top-level properties must now opt in via the new unsafePrototypeLocals: true option. ecto's typical plain-object locals are unaffected.

Notes

Runtime-phase ordering: writr 6.1.3 (higher priority, patch) is deferred — the repo's trustPolicy: no-downgrade rejects writr@6.1.2/6.1.3 (pulled transitively by docula@2.0.0) because earlier writr versions carried provenance attestation and these don't. Reported separately; not bundled here.

🤖 Generated with Claude Code


Generated by Claude Code

Bump the EJS template engine across a major version.

- ejs 5.0.2 -> 6.0.1

ejs 6 is primarily a packaging/security major:
- Proper dual ESM/CJS output (separate lib/esm and lib/cjs); the old
  dual-mode shim that broke ESM-aware bundlers/Bun/Deno is removed. This
  is strictly better for ecto, which is an ESM package.
- New default prototype-pollution mitigation: template identifiers no
  longer resolve through the locals object's prototype chain unless the
  new `unsafePrototypeLocals: true` option is set.

ecto's EJS engine uses the stable ejs.render(source, data, opts) API,
which is unchanged. pnpm build and all 239 tests pass with 100% coverage,
no code changes required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013MMsnH2H2ghs6xLGibb5v2
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedejs@​6.0.110010010087100

View full report

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the ejs dependency from version ^5.0.2 to ^6.0.1 in package.json and updates the pnpm-lock.yaml file accordingly. There are no review comments, and I have no feedback to provide.

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (a879f9c) to head (5f9bba4).

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #384   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            9         9           
  Lines          409       409           
  Branches        96        96           
=========================================
  Hits           409       409           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jaredwray jaredwray merged commit d3e2749 into main Jun 25, 2026
11 checks passed
@jaredwray jaredwray deleted the claude/ecto-dependency-maintenance-n8yajd branch June 25, 2026 16:28
@jaredwray jaredwray mentioned this pull request Jun 25, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants