← Home

pug

A clean, whitespace-sensitive template language for writing HTML

2
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

forbeslindesaypug-bot

Keywords

htmljadepugtemplate

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata url-dep:uglify-js AI (npm-metadata): devDependency only; not shipped to consumers. SHA-pinned to a known UglifyJS commit. ai
typosquat typosquat.levenshtein:pg AI (typosquat): pug is a well-established template engine (pugjs.org); the name predates and is unrelated to the pg PostgreSQL client. Not a typosquat. ai
typosquat typosquat.levenshtein:yup AI (typosquat): pug is a well-established template engine; 2-edit distance from yup is coincidental. Not a typosquat. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is the core compilation mechanism of the pug template engine — it compiles templates to JS functions. This is expected, documented behavior for this package. ai

Versions (showing 2 of 2)

Version Deps Published
3.0.4 8 / 10
3.0.3 8 / 10

v3.0.3

2 findings
HIGH SHA-pinned github dependency (devDependencies): uglify-js npm-metadata

Dependency 'uglify-js' in `devDependencies` points to 'github:mishoo/UglifyJS2#1c15d0db456ce32f1b9b507aad97e5ee5c8285f7' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.