Latest upstream

[kivikakk]

Pulls in github/cmark-gfm#123, defaulting to safe operation.

/cc @gjtorikian for your consideration. This change requires downstream users to use :UNSAFE to get the effect that :DEFAULT previously would.

Alternatively, we could insulate users of commonmarker from the cmark-gfm change by sending CMARK_OPT_UNSAFE to the library unless :SAFE was provided -- it depends on how much we'd be concerned about users updating and complaining, I think, but I do believe defaulting to non-XSSable output is the better option.

[gjtorikian]

I do believe defaulting to non-XSSable output is the better option.

I completely agree! Thanks, as always.

[jewilmeer]

Be careful with just making a minor release for these changes. This actually should be a major version bump, as it removes the SAFE option when rendering like this:

CommonMarker.render_html(content, %i[SAFE HARDBREAKS])

[jdickey]

Agreed with @jewilmeer. For a minor release, I think the "alternative" described by @kivikakk would be the sane (if not strictly :SAFE) way to go, possibly with a deprecation warning for :DEFAULT stating that its behaviour is going to be reversed in an imminent major release. Give that a few weeks to ripple through the downstream-dependency web, then push out a major version with the default-:SAFE change (and no deprecation warning).

[kivikakk]

This actually should be a major version bump, as it removes the SAFE option when rendering like this

Normally I would agree, but with CommonMarker still being pre-1.0 the API is essentially unfrozen. (per SemVer: "Major version zero (0.y.z) is for initial development. Anything may change at any time. The public API should not be considered stable.")