fix(deps): update dependency pug to v3.0.3 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
pug (source)	3.0.2 → 3.0.3

GitHub Vulnerability Alerts

CVE-2024-36361

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

---

Release Notes

pugjs/pug (pug)

v3.0.3

Compare Source

Bug Fixes

• Update pug-code-gen with the following fix: (#​3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the pug dependency from version 3.0.2 to 3.0.3 in both package.json and package-lock.json. It also includes corresponding updates for sub-dependencies like pug-code-gen, pug-error, and pug-runtime, and adds license information to the lock file. I have no feedback to provide.