[Snyk] Security upgrade pug from 2.0.0-rc.4 to 2.0.0#24
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c85a49c804
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "nan": "2.11.1", | ||
| "portscanner": "1.2.0", | ||
| "pug": "2.0.0-rc.4", | ||
| "pug": "2.0.0", |
There was a problem hiding this comment.
This change bumps pug in package.json, but package-lock.json still pins pug-2.0.0-rc.4. In environments that install with the lockfile (e.g., npm ci or any deploy using the committed lock), the old vulnerable version will still be installed, so the security fix won’t actually take effect. Please regenerate and commit the lockfile so the resolved version matches 2.0.0.
Useful? React with 👍 / 👎.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution