pug
A clean, whitespace-sensitive template language for writing HTML
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:uglify-js | AI (npm-metadata): devDependency only; not shipped to consumers. SHA-pinned to a known UglifyJS commit. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): pug is a well-established template engine (pugjs.org); the name predates and is unrelated to the pg PostgreSQL client. Not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): pug is a well-established template engine; 2-edit distance from yup is coincidental. Not a typosquat. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is the core compilation mechanism of the pug template engine — it compiles templates to JS functions. This is expected, documented behavior for this package. | ai |
v3.0.3
2 findingsDependency 'uglify-js' in `devDependencies` points to 'github:mishoo/UglifyJS2#1c15d0db456ce32f1b9b507aad97e5ee5c8285f7' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.