Open cuibonobo opened 6 years ago
It looks like we're already using v2:
https://github.com/matrix-org/synapse/blob/6ff99e3bea481790782c252c5433e9a88f65c4b0/poetry.lock#L963
And we just have a slightly broader version defined in pyproject.toml
(docs):
Can we bump the minimum version to 1.5 to make the proposed change? What determines our minimums? Do we just ask our packagers?
It looks like we're already using v2:
The bit of the lockfile you quoted refers to the dependencies of the readme-renderer
package (whatever that is). We've actually locked 4.1.0:
but it might be easier to spot this by looking at the locked checksums:
A note of caution: the lockfile only describes the contents of
It doesn't cover:
pip install matrix-synapse
).What determines our minimums? Do we just ask our packagers?
Pretty much. I sometimes use pkgs.org as a santiy check too, e.g. here and here.
The packagers don't seem to have any objections.
If anyone wants to pick this up, the steps are:
poetry lock --no-update
ALLOWED_SCHEMES
safe_markup
makes use of the this schema allowlist.
The 1.5 version of Bleach made the allowed protocols configurable: http://bleach.readthedocs.io/en/latest/clean.html#allowed-protocols-protocols
Once the dependency is updated, the
safe_markup
function in the mailer can be updated and these lines can be uncommented: https://github.com/matrix-org/synapse/blob/42b50483be2b022735f8ae2107314d51e92e8471/synapse/push/mailer.py#L76-L77