You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I figure that's one release a year or something like that.
Why?
Bleach sits on top of--and heavily relies on--html5lib which is no longer in active development. It is increasingly difficult to maintain Bleach in that context and I think it's nuts to build a security library on top of a library that's not in active development. There are some options (switch to something else, take over html5lib, etc), I don't particularly like any of them. I think instead, someone new should explore the options with a brand new library and a fresh start.
How does this affect astropy?
From our own installation doc:
html5lib: To read astropy.table.Table objects from HTML files using the pandas reader.
bleach: Used to sanitize text when disabling HTML escaping in the astropy.table.Table HTML writer.
As per this announcement (repeated below so one less click for you):
Summary
As of now, Bleach is deprecated.
We will continue to support Bleach:
I figure that's one release a year or something like that.
Why?
Bleach sits on top of--and heavily relies on--html5lib which is no longer in active development. It is increasingly difficult to maintain Bleach in that context and I think it's nuts to build a security library on top of a library that's not in active development. There are some options (switch to something else, take over html5lib, etc), I don't particularly like any of them. I think instead, someone new should explore the options with a brand new library and a fresh start.
How does this affect astropy?
From our own installation doc:
html5lib
: To readastropy.table.Table
objects from HTML files using thepandas
reader.bleach
: Used to sanitize text when disabling HTML escaping in theastropy.table.Table
HTML writer.Affected code:
astropy/astropy/utils/xml/writer.py
Line 185 in 8d38984
astropy/astropy/io/ascii/html.py
Line 468 in 8d38984
astropy/astropy/io/ascii/html.py
Line 305 in 8d38984
astropy/astropy/io/misc/pandas/connect.py
Lines 73 to 74 in 8d38984
Given both are optional dependencies, I think we can remove them but it would be API change and a lost of some features.
Should we wait and see how this plays out upstream? But how long?
The text was updated successfully, but these errors were encountered: