That is not necessarily a bad thing, sometime stability is what matters the most. But here the last commit was removal of a security and bugs branch...
Pug has been pretty complete for quite a while, there just isn't that big of a potential for insecurity for something that becomes vue's html/jsx at build time and 99% of run time threats is basically that the dev sent unsanitized use input to v-html instead of v-text.
The main problem with pug is that, AFAIK, vue is the only modern webframework with stable support for it.
