[pull] main from TryGhost:main#1175
Merged
Merged
Conversation
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [sanitize-html](https://redirect.github.com/apostrophecms/apostrophe/tree/main/packages/sanitize-html#readme) ([source](https://redirect.github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html)) | [`2.17.0` → `2.17.4`](https://renovatebot.com/diffs/npm/sanitize-html/2.17.0/2.17.4) |  |  | --- ### Release Notes <details> <summary>apostrophecms/apostrophe (sanitize-html)</summary> ### [`v2.17.4`](https://redirect.github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2174) ##### Changes - `sanitize-html` and `launder` now share a single implementation of `naughtyHref`, based on that which previously existed in `sanitize-html`. ##### Security - Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to [Vincenzo Turturro](https://redirect.github.com/sushi-gif) for reporting the vulnerability. ### [`v2.17.3`](https://redirect.github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2173-2026-04-15) [Compare Source](https://redirect.github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.2...sanitize-html@2.17.3) ##### Security - Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit `option` tags. There was no vulnerability when not explicitly allowing `option` tags. ### [`v2.17.2`](https://redirect.github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2172) [Compare Source](https://redirect.github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.1...sanitize-html@2.17.2) ##### Changes - Upgrade `htmlparser2` from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., `&#​0000001`) that previously bypassed `javascript:` URL detection. Also fixes double-encoding of entities inside raw text elements like `textarea` and `option`. ### [`v2.17.1`](https://redirect.github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2171-2026-02-18) [Compare Source](https://redirect.github.com/apostrophecms/apostrophe/compare/2.17.0...sanitize-html@2.17.1) ##### Fixes - Fix unclosed tags (e.g., `<hello`) returning empty string in `escape` and `recursiveEscape` modes. Fixes [#​706](https://redirect.github.com/apostrophecms/sanitize-html/issues/706). Thanks to [Byeong Hyeon](https://redirect.github.com/choi2601) for the fix. </details> --- ### Configuration 📅 **Schedule**: (in timezone Etc/UTC) - Branch creation - Only on Sunday and Saturday (`* * * * 0,6`) - Between 12:00 AM and 12:59 PM, only on Monday (`* 0-12 * * 1`) - Between 09:00 PM and 11:59 PM, Monday through Friday (`* 21-23 * * 1-5`) - Between 12:00 AM and 04:59 AM, Tuesday through Saturday (`* 0-4 * * 2-6`) - Automerge - Only on Sunday and Saturday (`* * * * 0,6`) - Between 12:00 AM and 12:59 PM, only on Monday (`* 0-12 * * 1`) - Between 10:00 PM and 11:59 PM, Monday through Friday (`* 22-23 * * 1-5`) - Between 12:00 AM and 04:59 AM, Tuesday through Saturday (`* 0-4 * * 2-6`) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/TryGhost/Ghost). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tryghost/actions](https://redirect.github.com/tryghost/actions) ([changelog](https://redirect.github.com/tryghost/actions/compare/598d6328d89dbd796aa02ae2ea66308f9d942224..128d496a57fb11e44e97d690f0d5381c58e52489)) | action | digest | `598d632` → `128d496` | --- ### Configuration 📅 **Schedule**: (in timezone Etc/UTC) - Branch creation - Only on Sunday and Saturday (`* * * * 0,6`) - Between 12:00 AM and 12:59 PM, only on Monday (`* 0-12 * * 1`) - Between 09:00 PM and 11:59 PM, Monday through Friday (`* 21-23 * * 1-5`) - Between 12:00 AM and 04:59 AM, Tuesday through Saturday (`* 0-4 * * 2-6`) - Automerge - Only on Sunday and Saturday (`* * * * 0,6`) - Between 12:00 AM and 12:59 PM, only on Monday (`* 0-12 * * 1`) - Between 10:00 PM and 11:59 PM, Monday through Friday (`* 22-23 * * 1-5`) - Between 12:00 AM and 04:59 AM, Tuesday through Saturday (`* 0-4 * * 2-6`) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/TryGhost/Ghost). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
ref 986f78e Let's test this middleware without stubbing.
no ref Used [zopflipng](https://github.com/google/zopfli) to compress PNGs in this project. I skipped test images. This saves about ~3 MB in total. Each file shrunk by 14.66% on average. (No files _increased_ in size.) I basically ran `zopflipng -m -y --lossy_transparent --lossy_8bit {path} {path}` on each PNG. I used the script below to accomplish this. ```python import sys import subprocess from concurrent.futures import ThreadPoolExecutor def compress_png(path): """Worker function to compress a single PNG file in-place.""" path = path.strip() if not path: return cmd = ["zopflipng", "-m", "-y", "--lossy_transparent", "--lossy_8bit", path, path] try: result = subprocess.run( cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False ) if result.returncode == 0: print(f"[SUCCESS] Compressed: {path}") else: print( f"[ERROR] Failed to compress {path}:\n{result.stderr.strip()}", file=sys.stderr, ) except FileNotFoundError: print( "[CRITICAL] 'zopflipng' is not installed or not in your PATH.", file=sys.stderr, ) sys.exit(1) except Exception as e: print(f"[ERROR] Unexpected error processing {path}: {e}", file=sys.stderr) def main(): paths = [line.strip() for line in sys.stdin if line.strip()] if not paths: print("No paths received from stdin.", file=sys.stderr) return print(f"Processing {len(paths)} files in parallel...", flush=True) with ThreadPoolExecutor() as executor: executor.map(compress_png, paths) if __name__ == "__main__": main() ```
ref 986f78e Let's test this middleware without stubbing.
Made serve public file middleware test more realistic ref 986f78e Let's test this middleware without stubbing.
ref 986f78e Let's test this middleware without stubbing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )