Update dependency nunjucks to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nunjucks	^2.5.2 → ^3.0.0

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

---

Release Notes

mozilla/nunjucks (nunjucks)

v3.2.4

Compare Source

• HTML encode backslashes when expressions are passed through the escape
  filter (including when this is done automatically with autoescape). Merge
  of #​1437.

v3.2.3

Compare Source

• Add support for nested attributes on
  sort filter;
  respect throwOnUndefined if sort attribute is undefined.
• Add base arg to
  int filter.
• Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
• Fix prototype pollution issue for template variables. Merge of
  #​1330; fixes
  #​1331. Thanks
  ChenKS12138!

v3.2.2

Compare Source

• Add select and
  reject filters.
  Merge of #​1278 and
  #​1279; fixes
  #​282. Thanks
  ogonkov!
• Fix precompile binary script TypeError: name.replace is not a function.
  Fixes #​1295.
• Add support for nested attributes on
  groupby filter;
  respect throwOnUndefined option, if the groupby attribute is undefined.
  Merge of #​1276; fixes
  #​1198. Thanks
  ogonkov!
• Fix bug that prevented errors in included templates from being raised when
  rendering templates synchronously. Fixes
  #​1272.
• The indent filter no longer appends an additional newline. Fixes
  #​1231.

v3.2.1

Compare Source

• Replace yargs with commander to reduce number of dependencies. Merge of
  #​1253. Thanks
  AlynxZhou.
• Update optional dependency chokidar from ^2.0.0 to ^3.3.0. Merge of
  #​1254. Thanks
  eklingen.
• Prevent optional dependency Chokidar from loading when not watching. Merge
  of #​1250. Thanks
  eklingen.

v3.2.0

Compare Source

• Adds NodeResolveLoader,
  a Loader that loads templates using node's
  require.resolve.
  Fixes #​1175.
• Emit 'load' events on Environment instances, to allow runtime dependency
  tracking. Fixes #​1153.

v3.1.7

Compare Source

• Fix bug where exceptions were silently swallowed with synchronous render.
  Fixes #​678,
  #​1116,
  #​1127, and
  #​1164

• Removes deprecated postinstall-build package in favor of
  npm prepare.
  Merge of #​1172.
  Fixes #​1167.

  • Note: this means that npm@​5 or later is required to install nunjucks
    directly from github.

v3.1.6

Compare Source

No code changes; fixed npm packaging issue.

v3.1.4

Compare Source

• Fix engine version for Node v11.1.0
• Fix "Unexpected token" error for U+2028 unicode newline. Fixes #​126 and #​736

v3.1.3

Compare Source

• Add forceescape filter. Fixes #​782

• Fix regression that prevented template errors from reporting line and column number.
  Fixes #​1087 and
  #​1095.

• Fix "Invalid type: Is" error for {% if value is defined %}. Fixes
  #​1110

• Formally drop support for node v4 (the upgrade to babel 7 in 3.1.0 made the
  build process incompatible with node < 6.9.0).

v3.1.2

Compare Source

• Fix regression to make chokidar an optional dependency again. Fixes
  #​1073
• Fix issue when running npm install nunjucks with the --no-bin-links flag
• Fix regression that broke template caching. Fixes
  #​1074

v3.1.0

Compare Source

• Support nunjucks.installJinjaCompat() with slim build. Fixes
  #​1019

• Fix calling render callback twice when a conditional import throws an error.
  Solves #​1029

• Support objects created with Object.create(null). fixes #​468

• Support ESNext iterators, using Array.from. Merge of
  #​1058

v3.0.1

Compare Source

• Fix handling methods and attributes of static arrays, objects and primitives.
  Solves the issue #​937

• Add support for python-style array slices with Jinja compat enabled.
  Fixes #​188; merge of
  #​976.

• Fix call blocks having access to their parent scope. Fixes
  #​906; merge of
  #​994.

• Fix a bug that caused capturing block tags (e.g. set/endset,
  filter/endfilter) to write to the global buffer rather than capturing
  their contents. Fixes
  #​914 and
  #​972; merge of
  #​990. Thanks Noah
  Lange.

v3.0.0

Compare Source

• Allow including many templates without reaching recursion limits. Merge of
  #​787. Thanks Gleb Khudyakov.

• Allow explicitly setting null (aka none) as the value of a variable;
  don't ignore that value and look on up the frame stack or context. Fixes
  #​478. Thanks Jonny Gerig
  Meyer for the report.

• Execute blocks in a child frame that can't write to its parent. This means
  that vars set inside blocks will not leak outside of the block, base
  templates can no longer see vars set in templates that inherit them, and
  super() can no longer set vars in its calling scope. Fixes the inheritance
  portion of #​561, which
  fully closes that issue. Thanks legutierr for the report.

• Prevent macros from seeing or affecting their calling scope. Merge of
  #​667.

• Fix handling of macro arg with default value which shares a name with another
  macro. Merge of #​791.

• Add support for the spaces parameter in the dump template filter.
  Merge of #​868.
  Thanks Jesse Eikema

• Add verbatim as an alias of raw for compatibility with Twig.
  Merge of #​874.

• Add new nl2br filter. Thanks Marc-Aurèle Darche

• Add support for python's list.append with Jinja compat enabled. Thanks
  Conor Flannigan.

• Add variables whitespace control.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

No /opt/buildpack/tools/node/6.17.1/bin/npx defined - aborting
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated gulp-util@2.2.20: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated tar@2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated crypto@0.0.3: This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in.
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated joi@6.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated topo@1.1.0: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated superagent@3.8.3: Please upgrade to v7.0.2+ of superagent.  We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing.  See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.3.2 (node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.0.0 (node_modules/forever-monitor/node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules/gulp-nodemon/node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN ws@8.11.0 requires a peer of bufferutil@^4.0.1 but none was installed.
npm WARN ws@8.11.0 requires a peer of utf-8-validate@^5.0.2 but none was installed.
npm ERR! Linux 5.4.0-1084-aws
npm ERR! argv "/opt/buildpack/tools/node/6.17.1/bin/node" "/usr/local/bin/npm" "install" "--package-lock-only" "--no-audit" "--ignore-scripts"
npm ERR! node v6.17.1
npm ERR! npm  v3.10.10
npm ERR! path /mnt/renovate/gh/hmcts/cmc-prototype/node_modules/.staging/@types/cors-d3a7c696/package.json
npm ERR! code ENOTDIR
npm ERR! errno -20
npm ERR! syscall open

npm ERR! ENOTDIR: not a directory, open '/mnt/renovate/gh/hmcts/cmc-prototype/node_modules/.staging/@types/cors-d3a7c696/package.json'
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     /mnt/renovate/gh/hmcts/cmc-prototype/npm-debug.log