Npm Audit report #140

vbjay · 2023-10-09T21:23:51Z

npm --version
9.8.1

node --version
v18.18.0

npm audit

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - https://github.com/advisories/GHSA-p493-635q-r6gr
No fix available
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader
    @bluemodus/bluepack  *
    Depends on vulnerable versions of pug-loader
    node_modules/@bluemodus/bluepack

Can we get an update to use the updated pug package?

The text was updated successfully, but these errors were encountered:

webdiscus · 2023-10-10T10:35:38Z

@vbjay the pug-loader is not maintained for more than 5 years :-/

You can use the modern alternative @webdiscus/pug-loader.
This loader is 100% compatible with the original pug-loader and also has many very useful features.

If you use the pug-loader with html-webpack-plugin, you should try to use the pug-plugin.

vbjay · 2023-10-11T03:11:41Z

Then at least can we do a deprecation in npm so that npm audit/install reports that info and suggests the replacement.

webdiscus · 2023-10-12T13:35:01Z

@vbjay it would be great, but maintemers don't react at all

vbjay · 2023-10-12T13:50:41Z

Bummer. Thanks.

vbjay closed this as completed Oct 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Npm Audit report #140

Npm Audit report #140

vbjay commented Oct 9, 2023 •

edited

Loading

webdiscus commented Oct 10, 2023

vbjay commented Oct 11, 2023

webdiscus commented Oct 12, 2023

vbjay commented Oct 12, 2023

Npm Audit report #140

Npm Audit report #140

Comments

vbjay commented Oct 9, 2023 • edited Loading

webdiscus commented Oct 10, 2023

vbjay commented Oct 11, 2023

webdiscus commented Oct 12, 2023

vbjay commented Oct 12, 2023

vbjay commented Oct 9, 2023 •

edited

Loading