Vulnerability in a pug dependency

[antham]

The version of clean-css used by a pug dependency, is resolved to the version 3.4.28 but there is a vulnerability in versions below 4.1.11 (clean-css/clean-css@2929baf).

[davetapley]

Per this we need to go from

webtask-tools/package.json

Line 29 in 3da48e1

"pug": "^0.1.0",

to 2.0.3.

[antham]

I didn't see this part in the README => https://github.com/auth0/webtask-tools#issue-reporting , I don't know if what I reported fit this section but I would suggest to add an issue template for future case like this to warn anyone wanting to report a vulnerability

[davetapley]

@antham oh yeah, I didn't notice that either 😬
Oh well. I assume that this one is fine, since anyone doing an npm audit would see the vulnerability (i.e. this issue isn't really disclosing anything).

---

FYI I also pinged Auth0 support and they said:

Thank you for contacting Auth0 support. And thank you for submitting the PR. I am escalating this ticket to our engineering team to review and merge the changes. I will respond back to you as soon as I get a response back from them.

🤞