Conversation
9c494ca to
f82a73a
Compare
|
There are some things here that is unclear and making me uneasy:
|
|
There are some things here that is unclear and making me uneasy:
Hi! Thanks for reviewing :)
- There is no deprecation here. Seems to have dropped `SafeYAML`
entirely. What happens to downstream plugins that uses `SafeYAML`?
Ok... should I add some deprecation warnings so they can start using the
Jekyll wrapper?
- The module name `Jekyll::YAML` is ambiguous. When used without the
`Jekyll::` id, it is unclear whether we are calling the Ruby stdlib
module (`::YAML`) or the one under `Jekyll`.
Sure, I could move it to Jekyll::Utils as suggested by the issue
- There is inconsistent use of `read_opts:` kwarg based on the
diff. Why the inconsistency?
I'll check that. I also found some cases where SafeYAML was loading
files without read options from configuration, specially when it's used
on commands, how would you handle that? Has it been an issue?
- Lastly, the commit author and PR author seem to be different ids. Are they both the same person?
Yes, it's my work email
|
Yes. That's the way it is usually done. We need to give time to downstream plugins to make changes as necessary since we are only going to bump the minor version in the next release. IMHO, The correct way to go about doing this is to:
Without deprecation warnings and interception-forwarding, we might as well use |
My recommendation would be to not use the |
|
Note that there are two comments above this. (in case you don't see them in your email notification.) |
|
`export wrapper method(s)` > **`intercept calls to 'SafeYAML'`** >
`issue deprecation warnings` > **`forward to associated wrapper`**
I added a `Jekyll::SafeYAMLDeprecator` module which extends `SafeYAML`
to issue deprecation warnings, but since it skips `SafeYAML` altogether
I'm wondering if safe_yaml can be removed and just a a mock class.
|
|
My recommendation would be to not use the `read_opts` configuration for YAML loading at all. It is meant for `File.read` calls.
Yes, they are passed directly to `File.read` when available (`Jekyll::Site#file_read_opts`), you mean `Jekyll::Utils#safe_load_yaml_file` should only accept a filename argument?
|
|
@fauno Based on the errors reported in the check_run, and in sync with @DirtyF's decision to add this to the v5.0 milestone, I'm deferring this for the future. The maintainers will revisit this if In the interim, you're free to continue improving the code in this branch. |
|
Just a heads up, Gentoo is going to remove Jekyll packages because of the dependency on safe_yaml (which doesn't work with recent Ruby versions): AFAICS Debian's Jekyll package includes this PR as a patch, |
|
Direct link to debian's patch: https://salsa.debian.org/ruby-team/jekyll/-/blob/master/debian/patches/0016-Drop-usage-of-safe_yaml.patch |
|
Thank you for letting us know, @ulm and @Flowdalic. |
|
Hey, I'm quite busy at the moment but I can carve some time in May |
|
No hurry, @fauno. |
@ashmaroli |
|
@hartwork I understand the situation with All that said, Jekyll 4.x cannot yeet Gentoo Linux will have to forego packaging Jekyll n co, for the time being. |
|
@ashmaroli if external plugins remain using |
|
Would it be useful to check if Jekyll plugins are using safe_yaml in any
way? I have always appreciated its stability and retrocompatibility :)
According to this there are a couple plugins directly depending on
safe_yaml:
https://rubygems.org/api/v1/gems/safe_yaml/reverse_dependencies.json
Though other plugins may be assuming Jekyll's safe_yaml dependency.
|
@hartwork Jekyll follows Semantic Versioning protocol and therefore cannot remove existing runtime dependencies under the assumption that downstream plugins with requirements Regarding the state of the Debian package, that would be upto respective project maintainers to worry about. Its their responsibility to have adequate tests to check if an incoming patch has an effect on existing compatibility. |
@ashmaroli just for the record, I would disagree on that assessment in any other project. It's the responsibility of plug-in code to explicitly depend on all direct dependencies and not rely on other software to pull them in. So that would just be a build system bug in those plugins, nothing more. Debian seems to agree with me on that. |
|
Alright @hartwork I [agree to disagree]. |
|
Note that this PR breaks the minimal-mistakes theme, because Psych by default does not accept YAML aliases (but it can be asked to by using |
|
@svillemot thanks! I added your patch on the PR with your authorship :) |
|
|
||
| # Safely load YAML strings | ||
| def safe_load_yaml(yaml) | ||
| Psych.safe_load(yaml, :permitted_classes => [Date, Time], aliases: true) |
There was a problem hiding this comment.
I am wondering if it would make sense to add Symbol to the list of permitted classes. Indeed, with this patch in Debian, there is a bug open because of failing tests in jekyll asciidoc plugin
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030465
caused by the fact that Symbol is not allowed to be loaded by Psych.
This is a 🔨 code refactoring.
Summary
I've had this on my mind for some time and I found it was planned a long time ago at #3951 so I gave it a try.
I expected it to be a little slower but
script/profile-docsreturns similar build times. Given dtao/safe_yaml#99 maybe I should add a benchmark?Context
Closes #3951