🚨 [security] Update pug 2.0.3 → 3.0.3 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ pug (2.0.3 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Pug allows JavaScript code execution if an application accepts untrusted input

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

🚨 Remote code execution via the `pretty` option.

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: #3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

↗️ constantinople (indirect, 3.1.2 → 4.0.1) · Repo

Commits

See the full diff on Github. The new version differs by 5 commits:

• Release 4.0.1
• Release 4.0.0
• chore: apply prettier and use actual expression type (#10)
• deps: update babylon -> @babel/parser, babel-types -> @babel/types (#9)
• Only allow es5 trailing commas in tests

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

• v1.1.2
• [meta] add `auto-changelog`
• [Robustness] remove runtime dependency on all builtins except `.apply`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [meta] add `funding` field; create FUNDING.yml
• [Tests] use `aud` instead of `npm audit`
• [meta] update `.gitignore`
• [Tests] switch to nyc for coverage
• [meta] add `safe-publish-latest`
• [Dev Deps] update `@ljharb/eslint-config`, `tape`
• [actions] fix permissions
• Revert "Point to the correct file"
• Merge pull request #16 from svedova/patch-1
• Point to the correct file
• [readme] update badges
• [meta] use `npmignore` to autogenerate an npmignore file
• [Tests] migrate tests to Github Actions
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [meta] create SECURITY.md
• [Tests] fix eslint errors from #15
• [Dev Deps] update `@ljharb/eslint‑config`, `eslint`, `tape`
• [Tests] up to `node` `v11.10`, `v10.15`, `v9.11`, `v8.15`, `v6.16`, `v4.9`; use `nvm install-latest-npm`; run audit script in tests
• [Tests] add `npm run audit`
• [Tests] remove `jscs`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `covert`, `tape`
• Docs: enable badges; update wording

↗️ is-regex (indirect, 1.0.4 → 1.1.4) · Repo · Changelog

Release Notes

1.1.4 (from changelog)

Commits

• [Dev Deps] update auto-changelog, core-js, eslint, tape 4b17cad
• [Refactor] use has-tostringtag to behave correctly in the presence of symbol shams 2dad4af

1.1.3 (from changelog)

Commits

• [actions] use node/install instead of node/run; use codecov action c681ab9
• [Fix] do not use Object.prototype.toString when Symbol.toStringTag is shammed ca019fd
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 605a66f
• [readme] add actions and codecov badges 8d7c6f0
• [meta] use prepublishOnly script for npm 7+ 8e50e91
• [Deps] update has-symbols 4742c81

1.1.0 (from changelog)

Commits

• [New] use badStringifier‑based RegExp detection 31eff67
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape fc91458
• [Dev Deps] update eslint, @ljharb/eslint-config, tape; add safe-publish-latest d43ed83
• [Dev Deps] update auto-changelog, tape; add aud 56647d1
• [meta] only run aud on prod deps e0865b8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 60 commits:

• v1.1.4
• [Dev Deps] update `auto-changelog`, `core-js`, `eslint`, `tape`
• [Refactor] use `has-tostringtag` to behave correctly in the presence of symbol shams
• v1.1.3
• [Fix] do not use `Object.prototype.toString` when `Symbol.toStringTag` is shammed
• [Deps] update `has-symbols`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [readme] add actions and codecov badges
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• v1.1.2
• [Robustness] use `call-bind`
• [meta] do not publish github action workflow files
• [readme] fix repo URLs; remove travis badge
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [meta] gitignore coverage output
• [actions] update workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`
• [Tests] migrate tests to Github Actions
• [Tests] run `nyc` on all tests
• [actions] add "Allow Edits" workflow
• [actions] switch Automatic Rebase workflow to `pull_request_target` event
• v1.1.1
• [Dev Deps] update `auto-changelog`, `eslint`
• [Performance] Re-add lastIndex check to improve performance
• v1.1.0
• [New] use `badStringifier`‑based RegExp detection
• [meta] only run `aud` on prod deps
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `auto-changelog`, `tape`; add `aud`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`; add `safe-publish-latest`
• v1.0.5
• [Dev Deps] update `eslint`
• [meta] remove unused Makefile and associated utilities
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`
• [Tests] set audit level
• [meta] add `auto-changelog`
• [meta] add `funding` field
• [Tests] use shared travis-ci configs
• [actions] add automatic rebasing / merge commit blocking
• [Tests] up to `node` `v12.10`, `v11.15`, `v10.16`, `v8.16`, `v6.17`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `replace`, `semver`, `tape`
• [Tests] use `npx aud` instead of `nsp` or `npm audit` with hoops
• [Tests] use `eclint` instead of `editorconfig-tools`
• [Tests] remove `nsp`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `covert`, `tape`
• [Deps] update `has`
• [Tests] switch from `nsp` to `npm audit`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config@`, `replace`, `semver`, `tape`
• [Tests] up to `node` `v11.3`, `v10.14`, `v8.14`, `v6.15`
• [Tests] remove `jscs`
• [Dev Deps] update `replace`
• [Tests] on `node` `v10.1`
• [Tests] up to `node` `v10.0`, `v9.11`, `v8.11`, `v6.14`, `v4.9`
• [Dev Deps] update `eslint`, `nsp`, `semver`, `tape`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `jscs`, `nsp`, `replace`, `semver`, `tape`
• [Tests] up to `node` `v9.3`, `v8.9`, `v6.12`; use `nvm install-latest-npm`; pin included builds to LTS
• [Dev Deps] update `tape`, `nsp`, `eslint`, `@ljharb/eslint-config`
• Only apps should have lockfiles.
• [Tests] up to `node` `v8.1`, `v7.10`, `v6.11`, `v4.8`; newer npm fails on older nodes

↗️ pug-code-gen (indirect, 2.0.1 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Pug allows JavaScript code execution if an application accepts untrusted input

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

🚨 Remote code execution via the `pretty` option.

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: #3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

🚨 Remote code execution via the `pretty` option.

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: #3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

🆕 @​babel/helper-string-parser (added, 7.24.6)

🆕 @​babel/helper-validator-identifier (added, 7.24.6)

🆕 assert-never (added, 1.2.1)

🆕 babel-walk (added, 3.0.0-canary-5)

🆕 call-bind (added, 1.0.7)

🆕 define-data-property (added, 1.1.4)

🆕 es-define-property (added, 1.0.0)

🆕 es-errors (added, 1.3.0)

🆕 get-intrinsic (added, 1.2.4)

🆕 gopd (added, 1.0.1)

🆕 has-property-descriptors (added, 1.0.2)

🆕 has-proto (added, 1.0.3)

🆕 has-symbols (added, 1.0.3)

🆕 has-tostringtag (added, 1.0.2)

🆕 hasown (added, 2.0.2)

🆕 is-core-module (added, 2.13.1)

🆕 set-function-length (added, 1.2.2)

🆕 supports-preserve-symlinks-flag (added, 1.0.0)

🗑️ @​types/babel-types (removed)

🗑️ @​types/babylon (removed)

🗑️ acorn-globals (removed)

🗑️ align-text (removed)

🗑️ center-align (removed)

🗑️ has (removed)

🗑️ lazy-cache (removed)

🗑️ longest (removed)

🗑️ right-align (removed)

🗑️ uglify-to-browserify (removed)

🗑️ window-size (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit a9c1d2e and detected 0 issues on this pull request.

View more on Code Climate.