Skip to content

chore(deps): update dependency pug to v3.0.3 [security]#202

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-pug-vulnerability
Open

chore(deps): update dependency pug to v3.0.3 [security]#202
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-pug-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented May 28, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
pug (source) 3.0.23.0.3 age confidence

GitHub Vulnerability Alerts

CVE-2024-36361

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Severity
  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Release Notes

pugjs/pug (pug)

v3.0.3

Compare Source

Bug Fixes

  • Update pug-code-gen with the following fix: (#​3438)

    Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from toondaey as a code owner May 28, 2024 17:15
@renovate renovate bot added dependencies Pull requests that update a dependency file patch-update labels May 28, 2024
@renovate renovate bot changed the title chore(deps): update dependency pug to v3.0.3 [security] chore(deps): update dependency pug to v3.0.3 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-pug-vulnerability branch December 8, 2024 18:57
@renovate renovate bot changed the title chore(deps): update dependency pug to v3.0.3 [security] - autoclosed chore(deps): update dependency pug to v3.0.3 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-pug-vulnerability branch from 4741183 to 585ae51 Compare December 8, 2024 21:07
@renovate renovate bot changed the title chore(deps): update dependency pug to v3.0.3 [security] chore(deps): update dependency pug to v3.0.3 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot changed the title chore(deps): update dependency pug to v3.0.3 [security] - autoclosed chore(deps): update dependency pug to v3.0.3 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-pug-vulnerability branch from 585ae51 to 19b24f9 Compare March 30, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@toondaey toondaey Awaiting requested review from toondaey toondaey is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file patch-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants