ejs
Embedded JavaScript templates
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:ejs-v4.0.1/ejs.js | AI (source-diff): EJS is a template engine; fs.readFileSync + new Function() is its core compile mechanism, not dropper/loader behavior. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:ejs-v4.0.1/ejs.min.js | AI (source-diff): Minified browser bundle of EJS template engine; filesystem reads and new Function() are expected template compilation behavior, not malware. | ai | |
| source-diff | net-exec-file:ejs-v4.0.1/lib/cjs/ejs.js | AI (source-diff): CJS build of EJS template engine; fs + new Function() is the documented template compilation mechanism, not network exfiltration. | ai | |
| source-diff | net-exec-file:ejs-v4.0.1/lib/esm/ejs.js | AI (source-diff): ESM build of EJS template engine; node:fs + new Function() is the documented template compilation mechanism, not network exfiltration. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): EJS is a long-established templating engine; 2-edit distance from 'ajv' is coincidental. Not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): EJS is a long-established templating engine; 2-edit distance from 'qs' is coincidental for a 3-char name. Not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:rxjs | AI (typosquat): EJS is a long-established templating engine; 2-edit distance from 'rxjs' is coincidental. Not a typosquat. | ai | |
| source-diff | net-exec-file:ejs-v5.0.1/lib/esm/ejs.js | AI (source-diff): ESM build of EJS; same legitimate pattern. Expected build artifact for ESM consumers. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is the core template compilation mechanism for EJS; already marked [Accepted risk] by analyzer. Stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in jakefile.js (build tooling), not in runtime library code. Not a risk for package consumers. | ai | |
| source-diff | net-exec-file:ejs-v5.0.1/ejs.js | AI (source-diff): EJS legitimately uses fs for template file loading and new Function() for template compilation. The UMD bundle is expected browser output. Not malware. | ai | |
| source-diff | net-exec-file:ejs-v5.0.1/ejs.min.js | AI (source-diff): Minified UMD bundle of EJS; same legitimate fs+new Function() pattern as ejs.js. Expected build artifact. | ai | |
| source-diff | net-exec-file:ejs-v5.0.1/lib/cjs/ejs.js | AI (source-diff): CJS build of EJS; fs is used for template file loading, new Function() for template compilation. Core EJS functionality, not malware. | ai |
Versions (showing 51 of 78)
| Version | Deps | Published |
|---|---|---|
| 6.0.1 | 0 / 10 | |
| 5.0.2 | 0 / 10 | |
| 5.0.1 | 0 / 10 | |
| 4.0.1 | 1 / 9 | |
| 3.1.10 | 1 / 7 | |
| 3.1.9 | 1 / 7 | |
| 3.1.8 | 1 / 7 | |
| 3.1.7 | 1 / 7 | |
| 3.1.6 | 1 / 7 | |
| 3.1.4 | 1 / 7 | |
| 3.1.3 | 1 / 7 | |
| 3.1.2 | 1 / 7 | |
| 3.0.2 | 0 / 8 | |
| 3.0.1 | 0 / 8 | |
| 2.7.4 | 0 / 8 | |
| 2.7.3 | 0 / 9 | |
| 2.7.2 | 0 / 9 | |
| 2.7.1 | 0 / 9 | |
| 2.6.2 | 0 / 9 | |
| 2.6.1 | 0 / 9 | |
| 2.5.9 | 0 / 9 | |
| 2.5.8 | 0 / 9 | |
| 2.5.7 | 0 / 9 | |
| 2.5.6 | 0 / 9 | |
| 2.5.5 | 0 / 9 | |
| 2.5.4 | 0 / 9 | |
| 2.5.3 | 0 / 9 | |
| 2.5.2 | 0 / 9 | |
| 2.5.1 | 0 / 9 | |
| 2.4.2 | 0 / 8 | |
| 2.4.1 | 0 / 8 | |
| 2.3.4 | 0 / 8 | |
| 2.3.3 | 0 / 8 | |
| 2.3.2 | 0 / 8 | |
| 2.3.1 | 0 / 8 | |
| 2.2.4 | 0 / 5 | |
| 2.2.3 | 0 / 5 | |
| 2.2.2 | 0 / 5 | |
| 2.2.1 | 0 / 5 | |
| 2.1.4 | 0 / 5 | |
| 2.1.3 | 0 / 5 | |
| 2.1.2 | 0 / 5 | |
| 2.1.1 | 0 / 5 | |
| 2.0.8 | 0 / 4 | |
| 2.0.7 | 0 / 4 | |
| 2.0.6 | 0 / 4 | |
| 2.0.5 | 0 / 4 | |
| 2.0.4 | 0 / 4 | |
| 2.0.3 | 0 / 4 | |
| 2.0.2 | 0 / 4 | |
| 1.0.0 | 0 / 2 |
v6.0.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.