fix two dependabot security alerts

[jerkey]

github's dependabot says we need to do something so it can see what versions of pug and ecstatic we're using - this looks like it might be no big deal but since it's flagging as a possible security issue we should try to fix it. As for ecstatic, there is an actual security issue that's relevant unless we're using a more recent version.

Here's what github says we should do about it:

what to do about pug dependancy issue

what to do about ecstatic dependancy issue

[kenrestivo]

Those links are 404

[kenrestivo]

Dunno about security alerts, but I ran dependabot on a fork and merged its recommendations https://github.com/kenrestivo/sudo-humans/commits/master

[jnny]

@kenrestivo wanna turn that into a pull request? :)