🚨 [security] Update pug 3.0.0 → 3.0.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ pug (3.0.0 → 3.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 Pug allows JavaScript code execution if an application accepts untrusted input

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

🚨 Remote code execution via the `pretty` option.

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: #3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

↗️ @​babel/parser (indirect, 7.12.3 → 7.29.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

↗️ @​babel/types (indirect, 7.12.1 → 7.29.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

↗️ has-symbols (indirect, 1.0.1 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

• [actions] update workflows 548c0bf
• [actions] further shard; update action deps bec56bb
• [meta] use npmignore to autogenerate an npmignore file ac81032
• [New] add types 6469cbf
• [actions] update rebase action to use reusable workflow 9c9d4d0
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape adb5887
• [Dev Deps] update @ljharb/eslint-config, aud, tape 13ec198
• [Dev Deps] update auto-changelog, core-js, tape 941be52
• [Tests] replace aud with npm audit 74f49e9
• [Dev Deps] update npmignore 9c0ac04
• [Dev Deps] add missing peer dep 52337a5

1.0.3 (from changelog)

Commits

• [actions] use node/install instead of node/run; use codecov action 518b28f
• [meta] add bugs and homepage fields; reorder package.json c480b13
• [actions] reuse common workflows 01d0ee0
• [actions] update codecov uploader 6424ebe
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape dfa7e7f
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 0c8d436
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 9026554
• [readme] add actions and codecov badges eaa9682
• [Dev Deps] update eslint, tape bc7a3ba
• [Dev Deps] update eslint, auto-changelog 0ace00a
• [meta] use prepublishOnly script for npm 7+ 093f72b
• [Tests] test on all 16 minors 9b80d3d

1.0.2 (from changelog)

Fixed

• [Fix] use a universal way to get the original Symbol #11

Commits

• [Tests] migrate tests to Github Actions 90ae798
• [meta] do not publish github action workflow files 29e60a1
• [Tests] run nyc on all tests 8476b91
• [readme] fix repo URLs, remove defunct badges 126288e
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, get-own-property-symbols d84bdfa
• [Tests] fix linting errors 0df3070
• [actions] add "Allow Edits" workflow 1e6bc29
• [Dev Deps] update eslint, @ljharb/eslint-config, tape 36cea2a
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 1278338
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 1493254
• [Dev Deps] update eslint, @ljharb/eslint-config, core-js b090bf2
• [actions] switch Automatic Rebase workflow to pull_request_target event 4addb7a
• [Dev Deps] update auto-changelog, tape 81d0baf
• [Dev Deps] update auto-changelog; add aud 1a4e561
• [readme] remove unused testling URLs 3000941
• [Tests] only audit prod deps 692e974
• [Dev Deps] update @ljharb/eslint-config 51c946c

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 44 commits:

• v1.1.0
• [New] add types
• [Dev Deps] add missing peer dep
• [Dev Deps] update `auto-changelog`, `core-js`, `tape`
• [actions] update workflows
• [Tests] replace `aud` with `npm audit`
• [actions] further shard; update action deps
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `npmignore`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [actions] update rebase action to use reusable workflow
• v1.0.3
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [meta] add `bugs` and `homepage` fields; reorder package.json
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [Dev Deps] update `eslint`, `tape`
• [Tests] test on all 16 minors
• [readme] add actions and codecov badges
• [Dev Deps] update `eslint`, `auto-changelog`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• v1.0.2
• [Fix] use a universal way to get the original Symbol
• [readme] remove unused testling URLs
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [meta] do not publish github action workflow files
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `core-js`, `get-own-property-symbols`
• [readme] fix repo URLs, remove defunct badges
• [Tests] migrate tests to Github Actions
• [Tests] fix linting errors
• [Tests] run `nyc` on all tests
• [actions] add "Allow Edits" workflow
• [actions] switch Automatic Rebase workflow to `pull_request_target` event
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `auto-changelog`; add `aud`
• [Tests] only audit prod deps
• [Dev Deps] update `auto-changelog`, `tape`
• [Dev Deps] update `@ljharb/eslint-config`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `core-js`

↗️ is-regex (indirect, 1.1.1 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Commits

• [Refactor] use call-bound directly dbabfe3
• [Deps] update call-bind, gopd d5343a0
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig cc081eb

1.2.0 (from changelog)

Fixed

• [Tests] allow tests to pass if zero traps are triggered #35

Commits

• [actions] reuse common workflows be7bf6a
• [New] add types 39066a4
• [meta] use npmignore to autogenerate an npmignore file 8938588
• [Refactor] reorganize code 2f76f26
• [actions] split out node 10-20, and 20+ 8c9aedf
• [meta] better eccheck command 6b39408
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape e38cf3c
• [actions] update codecov uploader 487c75d
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, foreach, tape 0d7da87
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape c1c1198
• [actions] update rebase action to use reusable workflow 213646e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 0a44e77
• [Refactor] use hasown d939332
• [Deps] update call-bind, has-tostringtag 46bfdc9
• [Tests] use for-each instead of foreach 138b3f2
• [Tests] replace aud with npm audit 37ed80a
• [Deps] update gopd 6fd4097
• [Dev Deps] update core-js 97c1c60
• [Dev Deps] add missing peer dep 7329b8e

1.1.4 (from changelog)

Commits

• [Dev Deps] update auto-changelog, core-js, eslint, tape 4b17cad
• [Refactor] use has-tostringtag to behave correctly in the presence of symbol shams 2dad4af

1.1.3 (from changelog)

Commits

• [actions] use node/install instead of node/run; use codecov action c681ab9
• [Fix] do not use Object.prototype.toString when Symbol.toStringTag is shammed ca019fd
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 605a66f
• [readme] add actions and codecov badges 8d7c6f0
• [meta] use prepublishOnly script for npm 7+ 8e50e91
• [Deps] update has-symbols 4742c81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 47 commits:

• v1.2.1
• [Refactor] use `call-bound` directly
• [Deps] update `call-bind`, `gopd`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/tsconfig`
• v1.2.0
• [New] add types
• [Deps] update `gopd`
• [Dev Deps] update `core-js`
• [Refactor] reorganize code
• [Refactor] use `hasown`
• [actions] split out node 10-20, and 20+
• [Dev Deps] add missing peer dep
• [Tests] allow tests to pass if zero traps are triggered
• [Deps] update `call-bind`, `has-tostringtag`
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Tests] use `for-each` instead of `foreach`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `core-js`, `foreach`, `tape`
• [actions] update rebase action to use reusable workflow
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `core-js`, `tape`
• [meta] better `eccheck` command
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• v1.1.4
• [Dev Deps] update `auto-changelog`, `core-js`, `eslint`, `tape`
• [Refactor] use `has-tostringtag` to behave correctly in the presence of symbol shams
• v1.1.3
• [Fix] do not use `Object.prototype.toString` when `Symbol.toStringTag` is shammed
• [Deps] update `has-symbols`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [readme] add actions and codecov badges
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• v1.1.2
• [Robustness] use `call-bind`
• [meta] do not publish github action workflow files
• [readme] fix repo URLs; remove travis badge
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [meta] gitignore coverage output
• [actions] update workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`
• [Tests] migrate tests to Github Actions
• [Tests] run `nyc` on all tests
• [actions] add "Allow Edits" workflow
• [actions] switch Automatic Rebase workflow to `pull_request_target` event

↗️ pug-code-gen (indirect, 3.0.1 → 3.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 Pug allows JavaScript code execution if an application accepts untrusted input

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

🚨 Remote code execution via the `pretty` option.

Impact

If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Patches

Upgrade to pug@3.0.1 or pug-code-gen@3.0.2 or pug-code-gen@2.0.3, which correctly sanitise the parameter.

Workarounds

If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

References

Original report: #3312

For more information

If you believe you have found other vulnerabilities, please DO NOT open an issue. Instead, you can follow the instructions in our Security Policy

🆕 @​babel/helper-string-parser (added, 7.27.1)

🆕 call-bind-apply-helpers (added, 1.0.2)

🆕 call-bound (added, 1.0.4)

🆕 dunder-proto (added, 1.0.1)

🆕 es-define-property (added, 1.0.1)

🆕 es-errors (added, 1.3.0)

🆕 es-object-atoms (added, 1.1.1)

🆕 function-bind (added, 1.1.2)

🆕 get-intrinsic (added, 1.3.0)

🆕 get-proto (added, 1.0.1)

🆕 gopd (added, 1.2.0)

🆕 has-tostringtag (added, 1.0.2)

🆕 hasown (added, 2.0.2)

🆕 math-intrinsics (added, 1.1.0)

🗑️ lodash (removed)

🗑️ to-fast-properties (removed)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)