fix: sanitise and escape the pretty option

[ForbesLindesay]

No description provided.

[rollingversions]

pug (3.0.0 → 3.0.1)

Bug Fixes

• Sanitise the pretty option

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug-code-gen (3.0.1 → 3.0.2)

Bug Fixes

• Sanitise the pretty option

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

Packages With No Changes

The following packages have no user facing changes, so won't be released:

• pug-attrs
• pug-error
• pug-filters
• pug-lexer
• pug-linker
• pug-load
• pug-parser
• pug-runtime
• pug-strip-comments
• pug-walk

Edit changelogs

[Nixinova]

Could this also be released as a 2.X patch so people with "pug":"^2" can receive it?

[bramkragten]

Could this also be released as a 2.X patch so people with "pug":"^2" can receive it?

You can just upgrade pug-code-gen to 2.0.3

[songkeys]

@bramkragten

You can just upgrade pug-code-gen to 2.0.3

But pug < 3.0.1 is labelled as a vulnerability. My security system keeps arguing that I should upgrade my pug@^2 to 3.0.1.

I think we should have a branch to cut a release for 2.X or remove the vulnerability label for pug.