crisward
commented
6 years ago BTW should of said - updating to uglify-js >=2.6.0 fixes the security issue.
Open crisward opened 6 years ago
crisward
commented
6 years ago BTW should of said - updating to uglify-js >=2.6.0 fixes the security issue.
ForbesLindesay
commented
6 years ago It's looking for a maintainer at the moment. If your interested, dependencies need updating and it needs to be renamed to then-pug. The biggest job will be that it needs porting to call the low level pug pipeline modules (i.e. pug-lexer, pug-parser, pug-load, pug-linker etc.). If you submit pull requests to do those things, i can add you as a maintainer and you'll be able to publish new versions etc.
jeromew
commented
6 years ago @ForbesLindesay, note that then-pug already exists in npm - https://www.npmjs.com/package/then-pug. I ported it a while ago but it was waiting out-of-beta status of pugjs and a discussion on the pug-code-gen babel AST port.
cf issue "rewrite code-gen using babel" - https://github.com/pugjs/pug/issues/2708
the current implementation of code-gen using babel, which I used to port then-jade to then-pug is here : https://github.com/jeromew/pug/tree/master/packages/pug-code-gen
I am interested in your feedback on issue 2708 to know if this direction for code-gen is still something you'd like to pursue now that pugjs is out of beta.
@crisward I will look at the upgrade the uglify version on then-jade but will not work on then-jade anymore - I consider it EOL now that I have a working then-pug version. Feel free
crisward
commented
6 years ago @jeromew I'll keep my eyes open for then-pug being finalised. Thanks for the update and your work on this.
jeromew
commented
6 years ago @crisward I just published 2.4.4 with uglify-js on 2.4.24 (same as in your PR). Tell me if it works for you.
crisward
commented
6 years ago Thanks for your help on this. I installed 2.4.4 and I still get the security errors.
then-jade@2.4.4 > jade@1.11.0 > constantinople@3.0.2
then-jade@2.4.4 > jade@1.11.0 > transformers@2.1.0 > uglify-js@2.2.5
then-jade@2.4.4 > jade@1.11.0 > transformers@2.1.0 > uglify-js@2.2.5However if I install from git+https://git@github.com/crisward/then-jade.git which doesn't have the ~ it installs the specified version of uglify and passes. I'm guessing node must resolve to the most compatible version with the various dependencies.
BTW I did the usual routine of deleting my package-lock.json file and ./node_modules/ folder prior to running npm install and running nsp for both your version and my git fork. For some reason I also got constantinople@3.1.2 without changing anything but the uglify version (which I really don't understand).
jeromew
commented
6 years ago your problem seems to come from the dependencies of jade 1.11.0. The issue has already been discussed for instance https://github.com/pugjs/pug/issues/2399 and https://github.com/pugjs/pug/issues/2072.
I will speak under @ForbesLindesay's scrutiny, but within the pugjs project, the choice was made at this stage to not publish new versions of jade and jade subprojects because we do not want to maitain them as pug is already production ready.
regarding then-jade, I already use then-pug in production code and it works without a flaw imho. I added warnings to the npm project because the way then-pug was coded is not totally streamlined.
someone has decided to publish and updated jade version under https://www.npmjs.com/package/jade-legacy. This version would fix your issue.
maybe I can suggest that you create a new then-jade-legacy project that would use jade-legacy as a dependency instead of jade. it would fix your issues and you would be fully autonomous for future dependency upgrades.
tell me what you think.
ForbesLindesay
commented
6 years ago @jeromew can you update this repo to have the code for then-pug? I would like to get then-jade deprecated if then-pug is useable (which by the sounds of things, it is).
jeromew
commented
6 years ago @ForbesLindesay yes it works. I'll see how to organise the repo to use the pug babel branch.
crisward
commented
6 years ago Also noticed it uses lots of babel stuff to make generators possible (via regenerator). This could probably be dropped now these are supported in node?
BananaAcid
commented
4 years ago Sooo ... is this alive?
jeromew
commented
4 years ago it currently works. I still have difficulties to find a good way to organise the repo in order to keep it simple to stay in sync with upstream.
BananaAcid
commented
4 years ago I saw an update of Pug from 6 month ago - is there anything missing in then-pug compared to pug?
We use
then jadein our websites as it gives us the ability to call async functions from our templates ieAre there any plans to update this library? It's currently tripping the node security plugin with this - https://nodesecurity.io/advisories/39 for the uglify js dependency.
Thanks!