Remove retired earmark and unused phoenix_storybook dependencies#4886
Merged
Conversation
Replace the direct earmark dependency with mdex for rendering AI assistant message content. earmark is retired and unmaintained; mix hex.audit flags it. mdex node structs cannot hold arbitrary HTML attributes, so per-element Tailwind classes are now injected into the rendered HTML instead of via AST manipulation. Raw HTML passthrough and the raw-content fallback are preserved, and the language- prefix on code blocks is stripped to keep earmark's previous output. earmark remains a dev-only transitive dependency of phoenix_storybook 0.9.2 until that is upgraded to 1.2+ (which requires Phoenix 1.8).
phoenix_storybook 0.9.2 carried three open advisories flagged by mix deps.audit (critical RCE, atom-table DoS, PubSub topic injection). It was dev-only with no production exposure, and storybook was dormant: only three demo stories existed and nothing had changed since the 2023 prototype. Remove the package rather than upgrade to 1.1.0. Drop the dep and its dev routes, delete the backend module, stories, and assets, and strip the esbuild/tailwind/live-reload config. Clear the storybook advisory IDs from the CI deps.audit ignore list, leaving only the cowlib advisory (no patch available yet). Remove now-orphaned lock entries via mix deps.unlock --unused.
midigofrank
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4886 +/- ##
=======================================
- Coverage 90.5% 90.5% -0.0%
=======================================
Files 445 445
Lines 22752 22746 -6
=======================================
- Hits 20589 20580 -9
- Misses 2163 2166 +3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
MDEx emits the standard `<code class="language-javascript">` for fenced code blocks. We were rewriting it back to Earmark's old bare `<code class="javascript">`, but nothing consumes that class (no syntax highlighter is wired up, and the markdown CSS targets `pre code` by element), so keep MDEx's conventional output instead.
The earmark→mdex migration left MDEx running as plain CommonMark, which silently dropped the GFM features earmark rendered by default. Assistant replies containing markdown tables showed as raw pipe text, strikethrough and bare-URL autolinks stopped working. Enable the table, strikethrough, autolink, and tasklist extensions to restore the prior rendering, and add a regression test covering them.
Security Review ✅
|
stuartc
approved these changes
Jun 26, 2026
stuartc
left a comment
stuartc
left a comment
Member
There was a problem hiding this comment.
Approved, nice work. Conditional on whether the JS code formatting (colours) still works correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR removes two retired/unused dev dependencies flagged by our dependency
audits. They're handled together because the only thing still pulling in the
retired
earmarkmarkdown library wasphoenix_storybook— so removing both inone pass clears
earmarkentirely.earmark → mdex (#4878)
Replace the direct
earmarkdependency withmdexfor rendering AI assistantmessage content.
earmarkis retired and unmaintained;mix hex.auditflagsit.
mdexnode structs cannot hold arbitrary HTML attributes, so per-elementTailwind classes are now injected into the rendered HTML instead of via AST
manipulation. Raw HTML passthrough and the raw-content fallback are preserved,
and the
language-prefix on code blocks is stripped to keep earmark's previousoutput.
Remove phoenix_storybook (#4846)
phoenix_storybook0.9.2 was the last consumer of the retiredearmark(itpulls it in as a dev-only transitive dep), and it also carried three open
advisories flagged by
mix deps.audit(critical RCE via HEEx injection,atom-table DoS, PubSub topic injection). It was dev-only with no production
exposure, and storybook was dormant — only three demo stories existed and
nothing had changed since the 2023 prototype. Rather than upgrade to 1.1.0, the
package is removed entirely, which also lets
mix deps.unlock --unuseddropearmarkfrom the lockfile:assets, and strip the esbuild/tailwind/live-reload config.
mix deps.auditignore list,leaving only the cowlib advisory (no patch available yet).
mix deps.unlock --unused.Closes #4878
Closes #4846
Validation steps
mix deps.auditreports no vulnerabilities (only the cowlib advisory remainsignored in CI).
iex -S mix phx.serverboots in dev with no storybook route errors.raw HTML, fallback content).
AI Usage
Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):
You can read more details in our
Responsible AI Policy
Pre-submission checklist
/reviewwith Claude Code)
(e.g.,
:owner,:admin,:editor,:viewer)