chore(deps): update html-pipeline requirement from ~> 1.0 to ~> 3.2#2061
Merged
Conversation
dependabot
Bot
added
dependencies
Member
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/bundler/html-pipeline-3.2.4
branch
3 times, most recently
from
3f10ca2 to
7ea3cf9
Compare
dependabot
Bot
force-pushed
the
dependabot/bundler/html-pipeline-3.2.4
branch
2 times, most recently
from
10095d0 to
41166ac
Compare
Member
|
@dependabot rebase |
1 similar comment
Member
|
@dependabot rebase |
Contributor
Author
|
Dependabot can't evaluate your Ruby dependency files. Because of this, Dependabot cannot update this pull request. |
zkoppert
force-pushed
the
dependabot/bundler/html-pipeline-3.2.4
branch
from
41166ac to
afe769c
Compare
Updates the requirements on [html-pipeline](https://github.com/gjtorikian/html-pipeline) to permit the latest version. - [Release notes](https://github.com/gjtorikian/html-pipeline/releases) - [Changelog](https://github.com/gjtorikian/html-pipeline/blob/main/CHANGELOG.md) - [Commits](gjtorikian/html-pipeline@v1.11.0...v3.2.4) --- updated-dependencies: - dependency-name: html-pipeline dependency-version: 3.2.4 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
html-pipeline v3 reorganizes the namespace (HTML::Pipeline -> HTMLPipeline), splits the single Filter base class into TextFilter/ConvertFilter/NodeFilter, makes the pipeline accept filter instances (not classes) via explicit keyword arguments, and returns a result hash from #call. Update the test harness's sample pipeline to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
html-pipeline v3 replaces the v1 SanitizationFilter (Sanitize gem) with one backed by Selma. The default allowlist and serialization differ in observable but reasonable ways: * Heading/anchor IDs (e.g. <h2 id="first-section">) are now preserved, fixing TOC anchor links that v1 stripped silently. * <span id=...>, <div id=...>, and <caption> elements are preserved. * Bare-filename relative hrefs (<a href="rawr.html">) are dropped because Selma's :relative protocol matcher requires a leading ./, ../, or /. Absolute http(s) and root-relative links are unaffected. * Self-closing tags serialize as <br/> instead of <br>. * Non-ASCII glyphs in attribute-free text are emitted as numeric entities (\u274F -> ❏). These fixtures document representative pipeline output, not contracts the library itself enforces - real consumers build their own pipelines. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
zkoppert
force-pushed
the
dependabot/bundler/html-pipeline-3.2.4
branch
from
afe769c to
e7beefb
Compare
There was a problem hiding this comment.
Pull request overview
Upgrades the development dependency on html-pipeline to the 3.2 series and updates the repo’s test harness + expected fixture outputs to the new HTMLPipeline API and Selma-based sanitization behavior, keeping the dependency bump verifiable via bundle exec rake test.
Changes:
- Bump
html-pipelinefrom~> 1.0to~> 3.2(and updateGemfile.lockaccordingly, includingselma/zeitwerk). - Migrate
test/markup_test.rbfromHTML::Pipelineto the v3HTMLPipelineinstance API (Pipeline.call(... )[:output]). - Regenerate rendered HTML fixtures in
test/markups/to match Selma’s sanitization + serialization output (including known relative-linkhrefstripping behavior).
Show a summary per file
| File | Description |
|---|---|
github-markup.gemspec |
Updates the html-pipeline development dependency requirement to ~> 3.2. |
Gemfile.lock |
Locks the new html-pipeline version and its new dependencies (selma, zeitwerk). |
test/markup_test.rb |
Ports the test harness to HTMLPipeline v3 API and output handling. |
test/markups/README.asciidoc.html |
Updates expected sanitized/rendered output for AsciiDoc fixture under Selma. |
test/markups/README.creole.html |
Updates expected sanitized/rendered output for Creole fixture under Selma. |
test/markups/README.directives.rst.html |
Updates expected sanitized/rendered output for directives RST fixture under Selma. |
test/markups/README.litcoffee.html |
Updates expected sanitized/rendered output for Literate CoffeeScript fixture under Selma. |
test/markups/README.long.rst.html |
Updates expected sanitized/rendered output for long RST fixture under Selma. |
test/markups/README.mediawiki.html |
Updates expected sanitized/rendered output for MediaWiki fixture under Selma. |
test/markups/README.org.html |
Updates expected sanitized/rendered output for Org fixture under Selma. |
test/markups/README.pod.html |
Updates expected sanitized/rendered output for POD fixture under Selma. |
test/markups/README.rdoc.html |
Updates expected sanitized/rendered output for RDoc fixture under Selma. |
test/markups/README.rst.html |
Updates expected sanitized/rendered output for RST fixture under Selma. |
test/markups/README.rst.txt.html |
Updates expected sanitized/rendered output for RST text fixture under Selma. |
test/markups/README.toc.asciidoc.html |
Updates expected TOC/id output for AsciiDoc TOC fixture under Selma. |
test/markups/README.toc.rst.html |
Updates expected TOC/id output for RST TOC fixture under Selma. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 15/16 changed files
- Comments generated: 1
html-pipeline v3 uses Selma directly instead of the sanitize gem, and nothing in this repo requires sanitize. The 'sanitize' method calls in lib/github/markup/command_implementation.rb are an internal encoding helper, not the gem. Caught by Copilot's code review on #2061. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
zkoppert
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Maintainer notes (added by @zkoppert)
Why
html-pipeline3.x is a major rewrite of the API and swaps the underlying sanitizer from thesanitizegem to Selma. Dependabot's mechanical bump bumps the gemspec but leaves the test harness broken. I rebased the branch on the newmaster(post-#2072) and migratedtest/markup_test.rbso we can actually validate the upgrade.Scope: this is a test-harness change
github-markupitself does no sanitization. From the README:html-pipelineis purely a development/test dependency here. It is not required fromlib/and not loaded at runtime. Its only job is to simulate a downstream rendering pipeline so the fixture tests can sanity-check that the gem's HTML output composes cleanly with a typical consumer.Impact on actual consumers of this gem: none. The gem's output is unchanged.
Impact on GitHub.com specifically: none. GitHub.com uses its own internal pipeline (Goomba), not
html-pipeline, and does not includehtml-pipelinein its dependency tree.What changed
require 'html/pipeline'→require 'html_pipeline'HTML::Pipeline::Filtersubclass →HTMLPipeline::ConvertFiltersubclass with an instance-baseddef call(_text, context:)Pipeline.to_html(nil, filename: readme)→Pipeline.call("", context: { filename: readme })[:output].to_sUPDATE=1 bundle exec rake test(commit e7beefb). 13 files intest/markups/changed because Selma'sDEFAULT_CONFIGsanitizes differently from the oldsanitize-gem-backed defaults. These differences are properties ofHTMLPipeline::SanitizationFilter::DEFAULT_CONFIG, not of this library.sanitizegem dev dependency (commit dea1788, caught by Copilot's review): v3 uses Selma, and nothing in this repo requires thesanitizegem directly.Test-harness behavior differences worth knowing about
These are differences in how the test harness's downstream pipeline sanitizes the gem's output. They are not changes in this gem's behavior. They are recorded here as reference for anyone reading the regenerated fixtures or chaining
html-pipelinev3 themselves.idattributes are now preserved (TOC anchors flow through cleanly).<a>tags with bare-filename relativehrefs (e.g.,href="rawr.html",href="Home") get thehrefstripped by Selma's default protocol allowlist. Path-absolute (/foo), dot-prefixed (./foo,../foo), anchor (#foo), and absolute URLs are all preserved. Visible inREADME.rdoc.html,README.asciidoc.html,README.mediawiki.html.<br>serializes as<br/>, non-ASCII glyphs in text become numeric entities (❏→❏), minor whitespace differences inside<ul>and<tr>.Testing
bundle exec rake test: 62 runs, 62 pass, 0 failures.<script>,javascript:,onX=event handlers, or other XSS vectors leaked into any regenerated fixture.hrefstripping documented above) and verified no other issues.Rollout
html-pipeline).github-markup→html-pipelinev3 in their own stack will see the differences listed above. That is anhtml-pipelinev3 migration concern for them, independent of this PR.Updates the requirements on html-pipeline to permit the latest version.
Release notes
Sourced from html-pipeline's releases.
... (truncated)
Changelog
Sourced from html-pipeline's changelog.
... (truncated)
Commits
c99d76dMerge pull request #429 from gjtorikian/release/v3.2.4f00ac92[skip test] update changelog4bd9392Merge pull request #428 from gjtorikian/allow-for-sanitization-nil7a75c3e💎 bump to 3.2.4973cbefadd minitest/mock for stubsf75cd21Merge branch 'main' into allow-for-sanitization-nil7a6e748Merge pull request #427 from gjtorikian/support-ruby-4251dde6loosen commonmarkera1b66f0no need for this1b5c5fb[auto-lint]: Lint files