Skip to content

chore(deps): bump pug from 3.0.2 to 3.0.3 in /frontend#3873

Merged
joanagmaia merged 3 commits intomainfrom
dependabot/npm_and_yarn/frontend/pug-3.0.3
Feb 24, 2026
Merged

chore(deps): bump pug from 3.0.2 to 3.0.3 in /frontend#3873
joanagmaia merged 3 commits intomainfrom
dependabot/npm_and_yarn/frontend/pug-3.0.3

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 24, 2026
edited by cursor bot
Loading

Bumps pug from 3.0.2 to 3.0.3.

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

  • Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

  • Update pug-code-gen with the following fix: (#3438)

    Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only dependency bump; primary risk is CI/build/install behavior changes from updated versions/metadata, with no product code changes.

Overview
Bumps the frontend dev dependency pug from 3.0.2 to 3.0.3 in frontend/package-lock.json, including updating pug-code-gen to ^3.0.3 and refreshing resolved/integrity metadata.

Also reclassifies several lockfile entries by removing dev: true from optional/native dependencies (e.g., @parcel/watcher platform packages, detect-libc, node-addon-api), which may affect how they’re treated during install but doesn’t change application runtime code.

Written by Cursor Bugbot for commit 14d8808. This will update automatically on new commits. Configure here.

@dependabot
chore(deps): bump pug from 3.0.2 to 3.0.3 in /frontend
14d8808 
Bumps [pug](https://github.com/pugjs/pug) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/pugjs/pug/releases)
- [Commits](https://github.com/pugjs/pug/compare/pug@3.0.2...pug@3.0.3)

---
updated-dependencies:
- dependency-name: pug
  dependency-version: 3.0.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

  • feat: add user authentication (CM-123)
  • feat: add user authentication (IN-123)

Projects:

  • CM: Community Data Platform
  • IN: Insights

Please add a Jira issue key to your PR title.

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

  • feat: add user authentication (CM-123)
  • feat: add user authentication (IN-123)

Projects:

  • CM: Community Data Platform
  • IN: Insights

Please add a Jira issue key to your PR title.

cursor[bot]
cursor bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

frontend/package-lock.json
"cpu": [
"ia32"
],
"dev": true,
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev dependencies promoted to production install

Medium Severity

Several packages (notably @parcel/watcher and its platform builds) lost their dev marking in frontend/package-lock.json, which can cause them to be installed during production installs. Since @parcel/watcher has an install script and native binaries, this can break production builds/deploys or unexpectedly increase runtime image size.

Additional Locations (2)

Fix in Cursor Fix in Web

@joanagmaia joanagmaia merged commit 50e914f into main Feb 24, 2026
8 checks passed
@joanagmaia joanagmaia deleted the dependabot/npm_and_yarn/frontend/pug-3.0.3 branch February 24, 2026 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joanagmaia