Bump pug and @11ty/eleventy

[dependabot]

Bumps pug to 3.0.3 and updates ancestor dependency @11ty/eleventy. These dependencies need to be updated together.

Updates pug from 2.0.4 to 3.0.3

Release notes

Sourced from pug's releases.

[email protected]

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

[email protected]

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

[email protected]

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

[email protected]

Bug Fixes

• Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

[email protected]

Bug Fixes

• Update with to resolve core-js deprecation notice (#3259)

[email protected]

Bug Fixes

• Properly handle non-string values when rethrowing errors (#3269)

[email protected]

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

[email protected]

Breaking Changes

• Drop support for node 6 and 8 (#3243)

[email protected]

Breaking Changes

• Drop support for node 6 and 8 (#3243)

... (truncated)

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• d4b7f60 Properly handle errors originating from included files when compileDebug is e...
• d6f0615 fix capture groups for "each" statements (#3274)
• 73ea7cf fix: keep lexer plugins inside tag interpolation (#3296)
• 29a53c5 fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)
• 60b1b15 chore: update supported versions (#3315)
• 991e78f fix: sanitise and escape the pretty option (#3314)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pug-bot, a new releaser for pug since your current version.

Updates @11ty/eleventy from 0.10.0 to 2.0.1

Release notes

Sourced from @​11ty/eleventy's releases.

Eleventy v2.0.1: a Bug Fix Release

Eleventy v2.0.1 is now available! You can try it out in your project now:

npm install @11ty/eleventy@latest

• Read more about project versus global installation.

New to Eleventy?

Eleventy is a flexible and production-ready site generator known for its zero-client JavaScript footprint, speedy sites, speedy builds, and full control over the output.

• Build a blog from scratch in 6 minutes with Eleventy
• Watch The State of Eleventy in Two Minutes
• Read more about Eleventy’s project goals.

Features and Fixes

• Fixed: this.eleventy in JavaScript template functions #2790
• Fixed: lodash security audits #2877
• Fixed: pagination targets with object bracket notation #2851
• Fixed: 11ty.js templates were too aggressively cached on watch/serve #2839 #2838
• Fixed: Handlebars partials were too aggressively cached on watch/serve #2799
• Fixed: Configuration reload fixes #2864 #2869 #2867
• New: Serverless pagination now works with Arrays and Objects #2853 #2544 Learn more: https://www.11ty.dev/docs/plugins/serverless/#dynamic-slugs-to-subset-your-pagination
• Typo fixes by @​deining in #2845

Housekeeping

• Full milestone/issue list: https://github.com/11ty/eleventy/milestone/43?closed=1
• Full changelog: 11ty/eleventy@v2.0.0...v2.0.1

Thank You Notes

This project would not be possible without our lovely community. Thank you to everyone that built something with Eleventy (×684 authors on our web site!), wrote a blog post about Eleventy, contributed code, wrote a plugins, helped with documentation, asked questions, answered questions, braved The Leaderboards, participated on Discord, filed issues, attended (or organized!) a meetup, said a kind word on social media ❤️.

• A huge thank you to Netlify, especially: @​biilmann, Chris Bach, Lauren Sell (alum), and Claire Knight, without whom this release would not have been possible.
• 🏆 A special thanks to @​pdehaan for their tireless contributions on the Eleventy Issue tracker.
• Yet more thanks to the all star Discord Moderators and Meetup Coordinators @​BenDMyers, @​clottman, @​dleatherman, @​darthmall, @​nachtfunke, @​siakaramalegos and @​5t3ph.
• All of our supporters on Open Collective ❤️
• Contribute on Open Collective
• How else can you contribute to Eleventy?

Open Collective Supporters

• Gold Sponsors: Sanity.io, Nordhealth, CloudCannon, Transloadit
• Silver Sponsors: Unabridged Software, PQINA, Bejamas, Nathan Smith, Monarch Air Group, Getform.io, Mercury Jets, OCEG
• Backers: Tyler Gaw, Ariel Salminen, Peter deHaan, Melanie Sumner, Ben Nash, Alejandro Rodríguez, Mat Marquis, Philip Borenstein, Jérôme Coupé, Nicolas Hoizey, Mike Aparicio, Ben Myers, Katie Sylor-Miller, Mark Buskbjerg, mortendk, Aaron Hans, Lauris Consulting, John Meyerhofer, Todd Libby, shawn j sandy, Luke Bonaccorsi, Higby, Jenn Schiffer, Dimitrios Grammatikogiannis, Devin Clark, Eric Bailey, Manuel Matuzovic, Tim Giles, Kyosuke Nakamura, Rob Sterlini, Horacio Gonzalez, Hans Gerwitz, Makoto Kawasaki, Josh Crain, Richard Hemmer, Nick Nisi, John SJ Anderson, Ryan Swaney, Alistair Shepherd, Ivo Herrmann, Flaki, Angelique Weger, John Hall, Scott McCracken, James Steinbach, Miriam Suzanne, Bentley Davis, Ara Abcarians, vince falconi, Martin Schneider, Stephanie Eckles, Frontend Weekly Tokyo, Dorin Vancea, Chris Burnell, Ximenav Vf., Rich Holman, Kasper Storgaard, Kevin Healy, Greg Gibson, Michelle Barker, Alesandro Ortiz, David A. Herron, Paul Robert Lloyd, Andrea Vaghi, Bryan Robinson, Ashur Cabrera, Raymond Camden, John Meguerian, Joe Lamyman, Dan Ryan, Sam, Brett Nelson, Paul Welsh, Ingo Steinke, Noel Forte, Melanie Richards, Marco Zehe, Wes Ruvalcaba, Luc Poupard, Entle Web Solutions, Ken Hawkins, Fershad Irani, Nikita Dubko, Aaron Gustafson, Chris, Christian Miles, Benjamin Geese, Marcus Relacion, Netin nopeustesti, Raphael Höser, Cthos, Sia Karamalegos, Jon Kuperman, Saneef Ansari, Michel van der Kroef, Flemming Meyer, Colin Fahrion, Dan Burzo, Dan Ott, Mobilemall.pk, Cheap VPS, David Darnes, Jon Roobottom, Dana Byerly, Oisín Quinn, Renkaatsopivasti, Windesol Sähkön Kilpailutus, Luke Mitchell, SignpostMarv, THE PADDING, Bob Monsour, Richmond Insulation, Patrick Byrne, zapscribbles, Frank Reding, quinnanya, Cory Birdsong, Aram ZS, Andy Stevenson, Robin Rendle, HelppoHinta.fi, Tanner Dolby, jpoehnelt, xdesro, Alex Zappa, Richmond Concrete, Alexander Wunschik, Tom, CelineDesign, Nic Chan, Duc Lam, Stephen Bell, Robert Haselbacher, Lene, Brett DeWoody, alistairtweedie, Meta Tier List, Iva Tech, Daniel Saunders, Josh Vickerson, Dan Urbanowicz, dan leatherman, Jens Grochtdreis, CBD Review, Eric Gallager, Softermii, Eric Carlisle, Claus Conrad, Anna E. Cook, David Luhr, Matt Obee, Kiekkotorni - Nikotiinipussit

... (truncated)

Commits

• e71cb94 Coverage
• bbc3fc1 v2.0.1
• 347d41b v2.0.1-beta.2
• 3203e3a Update dependencies
• 716f65a v2.0.1-beta.1
• 273bf3b v2.0.1-alpha.3
• 916805e Publish the dependency graph in eleventy.after args
• 67ce615 Fixes #2754
• 30c7113 Custom lodash build, fixes #2877
• a9323c3 Fixes #2790
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.