Update dependency nunjucks to v3.2.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nunjucks	3.2.0 → 3.2.4

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

---

Release Notes

mozilla/nunjucks (nunjucks)

v3.2.4

Compare Source

• HTML encode backslashes when expressions are passed through the escape
  filter (including when this is done automatically with autoescape). Merge
  of #​1437.

v3.2.3

Compare Source

• Add support for nested attributes on
  sort filter;
  respect throwOnUndefined if sort attribute is undefined.
• Add base arg to
  int filter.
• Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
• Fix prototype pollution issue for template variables. Merge of
  #​1330; fixes
  #​1331. Thanks
  ChenKS12138!

v3.2.2

Compare Source

• Add select and
  reject filters.
  Merge of #​1278 and
  #​1279; fixes
  #​282. Thanks
  ogonkov!
• Fix precompile binary script TypeError: name.replace is not a function.
  Fixes #​1295.
• Add support for nested attributes on
  groupby filter;
  respect throwOnUndefined option, if the groupby attribute is undefined.
  Merge of #​1276; fixes
  #​1198. Thanks
  ogonkov!
• Fix bug that prevented errors in included templates from being raised when
  rendering templates synchronously. Fixes
  #​1272.
• The indent filter no longer appends an additional newline. Fixes
  #​1231.

v3.2.1

Compare Source

• Replace yargs with commander to reduce number of dependencies. Merge of
  #​1253. Thanks
  AlynxZhou.
• Update optional dependency chokidar from ^2.0.0 to ^3.3.0. Merge of
  #​1254. Thanks
  eklingen.
• Prevent optional dependency Chokidar from loading when not watching. Merge
  of #​1250. Thanks
  eklingen.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json