python-packages: bleach 1.4.3 -> 1.5 #21450
Conversation
|
@spacekitteh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @FRidh to be a potential reviewer. |
spacekitteh
force-pushed
the
patch-22
branch
from
0aa5d2e
to
d91edb9
Compare
spacekitteh
force-pushed
the
patch-22
branch
from
d91edb9
to
a4ad787
Compare
| }; | ||
|
|
||
| buildInputs = with self; [ nose ]; | ||
| propagatedBuildInputs = with self; [ six html5lib ]; | ||
| propagatedBuildInputs = with self; [ six html5lib_0_9999999 pytestrunner pytest_303]; |
There was a problem hiding this comment.
Does bleach absolutely need that version of html5lib? And that specific version of pytest? And are pytest and pytestrunner runtime dependencies (that is, install_requires)?
|
Yep to everything you said |
|
This needs to be backported into stable. |
rycee
added
the
9.needs: port to stable
|
Because we broke bleach with the html5lib bump? |
|
Yeah, for example matrix synapse. |
|
Sigh, why did I merge that bump in the first place; its causing nothing but trouble. I'll see if we can somehow revert to an older version of |
|
Unfortunately that is not possible because the CVE was in the second latest beta of html5lib. |
Unfortunately bleach depends on an older version of html5lib and cannot use the latest version because the sanitizer module has been moved out. mozilla/bleach#217 This item is cherry-picked to unbreak bleach and thus matrix-synapse on stable. (cherry picked from commit 2f977b4)
|
And it's in stable. |
|
Thanks! Yeah, the html5lib seems a bit crazy with these versions. |
|
html5lib-python 1.0 is blocked on this, for the record: html5lib/html5lib-python#307 (comment) |
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)