fix(deps): update dependency nunjucks to v3.2.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nunjucks	3.0.1 -> 3.2.4

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

---

Release Notes

mozilla/nunjucks (nunjucks)

v3.2.4

Compare Source

• HTML encode backslashes when expressions are passed through the escape
  filter (including when this is done automatically with autoescape). Merge
  of #​1437.

v3.2.3

Compare Source

• Add support for nested attributes on
  sort filter;
  respect throwOnUndefined if sort attribute is undefined.
• Add base arg to
  int filter.
• Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
• Fix prototype pollution issue for template variables. Merge of
  #​1330; fixes
  #​1331. Thanks
  ChenKS12138!

v3.2.2

Compare Source

• Add select and
  reject filters.
  Merge of #​1278 and
  #​1279; fixes
  #​282. Thanks
  ogonkov!
• Fix precompile binary script TypeError: name.replace is not a function.
  Fixes #​1295.
• Add support for nested attributes on
  groupby filter;
  respect throwOnUndefined option, if the groupby attribute is undefined.
  Merge of #​1276; fixes
  #​1198. Thanks
  ogonkov!
• Fix bug that prevented errors in included templates from being raised when
  rendering templates synchronously. Fixes
  #​1272.
• The indent filter no longer appends an additional newline. Fixes
  #​1231.

v3.2.1

Compare Source

• Replace yargs with commander to reduce number of dependencies. Merge of
  #​1253. Thanks
  AlynxZhou.
• Update optional dependency chokidar from ^2.0.0 to ^3.3.0. Merge of
  #​1254. Thanks
  eklingen.
• Prevent optional dependency Chokidar from loading when not watching. Merge
  of #​1250. Thanks
  eklingen.

v3.2.0

Compare Source

• Adds NodeResolveLoader,
  a Loader that loads templates using node's
  require.resolve.
  Fixes #​1175.
• Emit 'load' events on Environment instances, to allow runtime dependency
  tracking. Fixes #​1153.

v3.1.7

Compare Source

• Fix bug where exceptions were silently swallowed with synchronous render.
  Fixes #​678,
  #​1116,
  #​1127, and
  #​1164

• Removes deprecated postinstall-build package in favor of
  npm prepare.
  Merge of #​1172.
  Fixes #​1167.

  • Note: this means that npm@5 or later is required to install nunjucks
    directly from github.

v3.1.6

Compare Source

No code changes; fixed npm packaging issue.

v3.1.4

Compare Source

• Fix engine version for Node v11.1.0
• Fix "Unexpected token" error for U+2028 unicode newline. Fixes #​126 and #​736

v3.1.3

Compare Source

• Add forceescape filter. Fixes #​782

• Fix regression that prevented template errors from reporting line and column number.
  Fixes #​1087 and
  #​1095.

• Fix "Invalid type: Is" error for {% if value is defined %}. Fixes
  #​1110

• Formally drop support for node v4 (the upgrade to babel 7 in 3.1.0 made the
  build process incompatible with node < 6.9.0).

v3.1.2

Compare Source

• Fix regression to make chokidar an optional dependency again. Fixes
  #​1073
• Fix issue when running npm install nunjucks with the --no-bin-links flag
• Fix regression that broke template caching. Fixes
  #​1074

v3.1.0

Compare Source

• Support nunjucks.installJinjaCompat() with slim build. Fixes
  #​1019

• Fix calling render callback twice when a conditional import throws an error.
  Solves #​1029

• Support objects created with Object.create(null). fixes #​468

• Support ESNext iterators, using Array.from. Merge of
  #​1058

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.