Skip to content

Bump pug from 3.0.3 to 3.0.4#223

Merged
ericcornelissen merged 1 commit into
mainfrom
dependabot/npm_and_yarn/pug-3.0.4
Mar 17, 2026
Merged

Bump pug from 3.0.3 to 3.0.4#223
ericcornelissen merged 1 commit into
mainfrom
dependabot/npm_and_yarn/pug-3.0.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 16, 2026

Copy link
Copy Markdown
Contributor

Bumps pug from 3.0.3 to 3.0.4.

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.4

Bug Fixes

  • Ensure doctype option is properly validated (#3468)

pug@3.0.4

Bug Fixes

  • Update pug-code-gen to ensure doctype option is properly validated (#3468)
Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for pug since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pug](https://github.com/pugjs/pug) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/pugjs/pug/releases)
- [Commits](https://github.com/pugjs/pug/compare/pug@3.0.3...pug@3.0.4)

---
updated-dependencies:
- dependency-name: pug
  dependency-version: 3.0.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Changes to the project's dependencies label Mar 16, 2026
@ericcornelissen

This comment was marked as resolved.

@coderabbitai

coderabbitai Bot commented Mar 17, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@ericcornelissen: Here's a summary of what's in this update:


🔧 What Changed (3.0.3 → 3.0.4)

This is a minimal patch release with a single bug fix:

  • doctype option validation fixpug-code-gen now properly validates the doctype option (issue #3468). Improper validation of compiler options has been a pattern in pug's past security issues, so tightening this is a positive hardening step.

🔒 Security

  • No new CVEs are associated with pug@3.0.4.
  • No signs of malicious activity in this release.
  • For historical context, the two notable past vulnerabilities were already addressed before 3.0.3:
    • CVE-2021-21353 affected pug < 3.0.1, where a remote attacker able to control the pretty option of the pug compiler could achieve remote code execution on the Node.js backend.
    • CVE-2024-36361 affected pug ≤ 3.0.2, where JavaScript code execution was possible if an application accepted untrusted input for the name option of compileClient, compileFileClient, or compileClientWithDependenciesTracked — though these functions are for compiling Pug templates into JavaScript and there would typically be no reason to allow untrusted callers. Both are already fixed in 3.0.3.

🚫 Breaking Changes

None. This is a patch-level fix with no API or behavioural changes beyond the corrected validation.


✨ New Features

None. This is a maintenance/bug-fix release only.


Verdict: This is a safe, low-risk update worth applying. The doctype validation fix is a sensible hardening improvement in line with pug's ongoing effort to validate compiler options properly.

@ericcornelissen ericcornelissen merged commit 37e3015 into main Mar 17, 2026
9 checks passed
@ericcornelissen ericcornelissen deleted the dependabot/npm_and_yarn/pug-3.0.4 branch March 17, 2026 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Changes to the project's dependencies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant