Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)
If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.
pug-code-gen@3.0.1
Bug Fixes
Update with to resolve core-js deprecation notice (#3259)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/doubtfire-lms/doubtfire-web/network/alerts).
Bumps pug-code-gen to 3.0.3 and updates ancestor dependency grunt-html2js. These dependencies need to be updated together.
Updates
pug-code-gen
from 2.0.3 to 3.0.3Release notes
Sourced from pug-code-gen's releases.
Commits
32acfe8
fix: ensure template names are valid identifiers (#3438)4767caf
refactor: convert pug-error to TypeScript (#3355)a724446
chore: update character-parser (#3354)6cca8f7
docs: fix GitHub format in README (#3335)d4b7f60
Properly handle errors originating from included files when compileDebug is e...d6f0615
fix capture groups for "each" statements (#3274)73ea7cf
fix: keep lexer plugins inside tag interpolation (#3296)29a53c5
fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)60b1b15
chore: update supported versions (#3315)991e78f
fix: sanitise and escape thepretty
option (#3314)Updates
grunt-html2js
from 0.6.0 to 0.9.0Release notes
Sourced from grunt-html2js's releases.
Commits
7d2bf71
Prepare 0.9.08c69250
Fix minimst minimum versionb52374d
npm audit fix updatesccfbb37
Bump glob-parent from 5.1.1 to 5.1.2 (#124)feee180
Bump async from 2.6.2 to 2.6.4 (#123)5f4c7f3
Bump ejs and grunt-contrib-nodeunit (#122)abfd32d
Bump path-parse from 1.0.6 to 1.0.7 (#121)5ec8cc4
Bump json-schema and jsprim (#120)3df1321
Bump getobject and grunt-legacy-util (#119)86bf2df
Bump grunt from 1.3.0 to 1.5.3 (#118)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show