Redcarpet
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://github.com/vmg/redcarpet | Medium | Very Low |
External contacts
The Redcarpet team is reachable via their public GitHub issue tracker. Security policy is not defined.
Security posture
Redcarpet is used to process custom Page content and turn it from Markdown into HTML. Since Page content is defined by the store owner, it is not exposed to unauthenticated user-controlled input. It is possible, though exceedingly unlikely, that a store owner could be tricked into writing a Markdown or HTML stanza that somehow causes an exploit client-side. For these reasons, we classify Redcarpet as medium risk.
Abandonment risk
Redcarpet is used by GitHub, dev.to, and over 100,000 other projects. The team is very stable and is partially funded by these large projects. For these reasons, we find it very unlikely to be abandoned.
If it were to be abandoned, it would still be useful to the Mall on Rails project in its present state. Further maintenance would likely be performed by the community.
Versioning policy
We presently pin Redcarpet to 3.x, with a minimum of 3.6, which is the minimum needed to run on Ruby 3.3. When a new version of Redcarpet is released, evaluation shall take place within one week. This includes ensuring that various examples of Markdown pages render correctly. This does not necessarily mean identically, but in a way that the store owner's intent is still expressed.