pug@3.0.3

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

pug-error@2.1.0

Refactors

• Convert to TypeScript (#3355)

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.2

Bug Fixes

• Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

pug@3.0.1

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug-runtime@3.0.1

Bug Fixes

• Properly handle non-string values when rethrowing errors (#3269)

pug-lexer@5.0.1

Bug Fixes

• Variables starting with keywords cause the regex to "drift" on capture groups, causing errors (#3274)

• Lexer plugins are not dropped inside tag interpolation (#3296)

  You can use tag interpolation to embed tags in long strings, e.g.

  p.
    This is a #[strong long] string of text.

  Previously, lexer plugins would not work within the #[...] interpolation.

• Handle escaped unsafe interpolation correctly (#3299)

  If you want to put the literal text #{ in your html, it needs to be escaped to indicate that it should not be treated as interpolation. The same is true of !{ You can escape them by prefixing them with \, e.g.

  p These are some \#{ weird \!{ symbols

  Previously this would have incorrectly converted both escaped sequences to #{, resulting in the html:

  <p>These are some #{ weird #{ symbols</p>

  Now this correctly generates:

  <p>These are some #{ weird !{ symbols</p>

pug-code-gen@3.0.2

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug@3.0.0

Breaking Changes

• read plugins must now return Buffer if you want to support filters that use renderBuffer (#3213)

  If you don't wish to support this advanced use case, you can continue returning string. If you did not provide a read plugin, you do not need to do anything.

• The minify option on filters now requires you to install the relevant jstransformer (#3084)

  Currently we support:

  • jstransformer-uglify-js for JavaScript
  • jstransformer-clean-css for CSS

• Drop support for node 6 and 8 (#3243)

New Features

• Support filters that apply to Buffers (#3213)

  e.g.

  // options.js
  exports.filters = {
    png: {
      // instead of a function, specify an object with a "renderBuffer" property
      // whose value is a function that takes a Buffer instead of a string
      renderBuffer: function(buffer, options) {
        var data = Buffer.from(buffer).toString('base64');
        return '<img src="data:image/png;base64, ' + data + '"/>';
      }
    }
  };

  You can then use the filter like:

  // foo.pug
  include:png my-small-image.png

• Add support for replacing code gen via a plugin with generateCode (#3230)

• Support each ... of ... loops (#3179)

  each value of iterable
    li= value

  This requires an environment that supports the for (const val of iterable) syntax in JS. You can iterate over Maps, Sets etc. as well as arrays. There is also some destructuring of map keys:

  - const map = new Map([['a', 'x'], ['b', 'y']]);
  each [key, value] of map
    li
      strong= key
      = value

pug-walk@2.0.0

Breaking Changes

• Drop support for node 6 and 8 (#3243)

New Features

• Support EachOf tokens (#3179)