Update dependency for package pug to fix a vulnaribilty issue

Question

Update dependency for package pug to fix a vulnaribilty issue

VGalata opened this issue a year ago · 4 comments

Package pug has several versions affected by this vulnerability issue.
Are there plans to update the dependency to the next major version in the asciidoctor package? The current version is ^2.0.4 (see here).

Answer 1 · 2023-06-29T07:58:49.000Z

Update: it seems to be addressed in #1689 though it uses only ^3.0.0 and the patched versions are 3.0.1 and 3.0.2.

Answer 2 · 2023-07-01T11:22:34.000Z

Please note that Pug is included in the "all-in-one" package asciidoctor but you can also use/install @asciidoctor/core with your own version of Pug (if you are using it).

Answer 3 · 2023-07-03T06:15:24.000Z

Thank you, @ggrossetie! But, asciidoctor is only a transitive dependency in our case.

Answer 4 · 2024-02-12T11:30:17.000Z

Should be fixed, the version in the package-lock.json is now 3.0.2