Turret is a styles and browser behaviour normalisation framework for rapid development of responsive and accessible websites.

  • By turretcss
  • Last update: Dec 31, 2022
  • Comments: 17

turretcss

npm version

turretcss - A Responsive Front-end Framework for Accessible and Semantic Websites with default HTML elements, created by Scott de Jonge.

To get started, check out https://turretcss.com!

Table of contents

Quick start

Several quick start options are available:

  • Download the latest release.
  • Clone the repo: git clone https://github.com/turretcss/turretcss.git.
  • Install with npm: npm install turretcss.
  • Install with yarn: yarn add turretcss

Read the Getting started page for information on structure, usage, support and more.

Bugs and feature requests

Have a bug or a feature request? Please first search for existing and closed issues. If your problem or idea is not addressed yet, please open a new issue.

Documentation

View full documentation at: https://turretcss.com/

turretcss's documentation, included in this repo in the docs directory, is built with Jekyll and publicly hosted on GitHub Pages at https://turretcss.com. The docs may also be run locally.

Tooling

To use and run the documentation locally, you'll need a copy of turretcss's source files, and Node. To install the required tools follow these steps:

  1. Download and install Node, which we use to manage our dependencies.
  2. Navigate to the root /turret directory and run npm install to install our local dependencies listed in package.json.
  3. Install Ruby, install Bundler with gem install bundler, and finally run bundle install. This will install all Ruby dependencies, such as Jekyll and plugins.

When completed, you'll be able to run the various scripts provided from the command line.

Scripts

turretcss includes the following commands and tasks:

Task Description
start Run npm run watch
watch Run npm run watch:turret & npm run watch:docs
watch:turret Watches changes to the /turret directory and builds turret CSS npm run compile:turret -- --verbose --watch
watch:docs Watches changes to the /docs directory and builds docs CSS npm run compile:docs -- --verbose --watch
compile:turret Builds turret CSS using PostCSS, postcss-preset-env, and CSSNano with config in postcss.config.js
compile:docs Builds docs CSS using PostCSS, postcss-preset-env, and CSSNano with config in postcss.config.js
format Run npm run format:css & npm run format:md
format:css Prettier CSS files prettier --single-quote --print-width 180 --write '*.css'
format:md Prettier Markdown files prettier --print-width 180 --write '*.md'

Autoprefixer

turretcss uses Autoprefixer as part of postcss-preset-env to automatically add vendor prefixes to some CSS properties at build time.

Running documentation locally

  1. Install Install Ruby, install Bundler with gem install bundler.
  2. Install Jekyll (the site builder) and other Ruby dependencies with bundle install. This will install all Ruby dependencies, such as Jekyll and plugins.
  3. Run npm start or yarn start to rebuild CSS.
  4. From the /docs directory, run bundle exec jekyll serve in the command line.
  5. Open http://0.0.0.0:2001 in your browser.

Learn more about using Jekyll by reading its documentation.

Troubleshooting

Should you encounter problems with installing dependencies or running scripts, uninstall all previous dependency versions (global and local). Then, rerun npm install.

Updates

Keep track development updates by following @turretcss on Twitter.

Versioning

For transparency into our release cycle and in striving to maintain backward compatibility, turretcss is maintained under the Semantic Versioning guidelines.

See the Releases section of our GitHub project for changelogs for each release version of turretcss.

Creators

Scott de Jonge

Copyright and license

Code and documentation copyright 2019 Bigfish.tv, Code released under the MIT license. Docs released under Creative Commons.

Github

https://github.com/turretcss/turretcss

Comments(17)

  • 1

    Select element cannot have a label

    <p class="field">
      <label class="select" for="select">
        The label
        <select id="select">
          <option>Select Field</option>
          <option value="1">Option 01</option>
          <option value="2">Option 02</option>
        </select>
      </label>
    </p>
    

    Current behavior : The select element has no label text in examples. Adding a label text leads to broken style for the select dropdown arrow and the label is not formatted like the other labels.

    image

    Expected behavior : The select element has a label in examples. The select can be used with or without label.

  • 2

    Plans to transition away from using @apply?

    Regarding this warning that PostCSS currently emits when processing the source files...

    You are using @apply rule and custom property sets.
    This feature won't be included in next the major release of postcss-cssnext. 
    This most likely won't get any more support from browser vendors as the spec 
    is yet considered deprecated and alternative solutions are being discussed. 
    Read more about the reason here https://github.com/pascalduez/postcss-apply
    

    Are there any plans to deprecate the _mixins in favor of something else? If future versions of cssnext are going to omit the postcss-apply plugin, then it seems that plugin would become a separate dependency in order to use the --foo {} and @apply syntax.

  • 3

    Improve html examples

    I think some html examples should be improved to add more semantic with appropriate tags and where required, roles and aria-attributes.

    For example, https://turretcss.com/form/field/

    The field element should be by semantic a <fieldset> not a div..

    And this example does not make sense since <fieldset> are made to group parts of form elements, not to wrap all the elements inside the form. https://turretcss.com/form/fieldset/

    Btw i think also the fieldset style must be reviewed.

  • 4

    Add browserlist to handle browser compatibility

    Hi, i want to make some PR to improve this project. This is the first issue i think may be implemented.

    As the title say the project should use browserlist to define the browser compatibility and let postcss (and autoprefixer) doing their magic only when required. Using the browserlist configuration file you can easily change the target build.

    postcss-preset-env already search for it we just define the browsers query which want to support.

    This tool may help: https://browserl.ist/

    here the available queries: https://github.com/browserslist/browserslist#full-list

    Right now, without any specific configuration, the default one is used by postcss-preset-env:

    and_chr 67
    and_ff 60
    and_qq 1.2
    and_uc 11.8
    android 67
    android 4.4.3-4.4.4
    baidu 7.12
    bb 10
    bb 7
    chrome 68
    chrome 67
    edge 17
    edge 16
    firefox 61
    firefox 60
    ie 11
    ie 10
    ie_mob 11
    ie_mob 10
    ios_saf 11.3-11.4
    ios_saf 11.0-11.2
    op_mini all
    op_mob 46
    op_mob 12.1
    opera 55
    opera 54
    safari 11.1
    safari 11
    samsung 7.2
    samsung 6.2
    
  • 5

    display and visibility class names

    .display-block .show .hide

    1. .show applies the same style as .display-block
    2. .hide applies display: none;, but there's no .display-none utility class
    • I think it's kind of confusing to have 2 utility classes for the same style
    • I think there should be a .display-none utility class for a few reasons:
      • More consistent with the rest of the display utility classes.
      • We may want to toggle between hiding/showing an element with display: none and a display style other than display: block, for example switching between display: none; and display: inline-block

    .hidden .visible .hidden-* .visible-*

    1. .hidden applies visibility: hidden; and .visible applies .visibility: visible;
    2. .hidden-* applies display: none; and .visible-* applies display: block;
    • I think these class names are confusing. From the classnames, I would've thought .hidden-* (e.g. .hidden-print) would apply the same style as .hidden, which is visibility: hidden;.
  • 6

    Add initial RTL support

    Replaces some 'left' and 'right' CSS rules with 'start' and 'end'. Partially fixes #50 . ~~This skips control.css as it may be a breaking change for those using the --control-inline-margin-right variable. This may be done at another PR.~~ This includes a variable rename at control.css where the old variable is kept for backward compatibility. This PR could be a breaking change, but that's up to you to decide.

    To completely fix #50, CSS utility classes with RTL support also need to be added. That may be done at another PR.

  • 7

    turretcss v5.0.0 plan

    Writing down some idea, thoughts, and additions to turretcss for v5.0.0.

    Major Changes

    • Swap postcss-cssnext dependancy for postcss-preset-env (or alternatively create a dependancy tree from individual postcss packages)
    • Remove @apply rule throughout as per discussion in #17

    Additions

    Add xxs and xxl size varients:

    • @media queries targeting devices < 320px width (Watch etc.) and > 1920px (Smart TVs)
    • button, input, select, .control, etc. elements
    • .space, margin, padding scales potentially looking at a more standard spacing (0.5rem, 1rem, 1.5rem, 2rem, 3rem, 4rem, 5rem)

    Removal

    • Remove .big text class with viewport text scale. It's proven to be unreliable for control and I have migrated away from using it.
    • Remove display-title and small-caps text classes in favour for more scalable classes that can be chained with scale classes for more varients

    Refactoring

    • Refactor button styles to minimise specificity for :hover and :focus states, look at removing :not(:disabled) for a better solution

    Ideas

    • Use HSL for colors to utilise calc() for hue-rotation and greater color control from global varient presets.
  • 8

    first-child and grids/flexboxes

    The styles that wipe margin-top on :first-child elements make it awkward to work in situations where the items are placed in a grid or flexbox, i.e., in a horizontal layout, as the first and subsequent items' margins are not equal:

    Two input fields on a page, Name and Phone, where the first one is not aligned vertically with the second one.

    A codepen demo.

    I'm not sure what would be the most clean approach to work around this; perhaps an additional class could be provided that when applied to a parent element would revert the effect of the first-child stiles on the children... Not sure.

  • 9

    Feature request: use turretcss as a no-side-effect utility library?

    I'd like to use turretcss as a utility library, like how basscss works (which lacks e.g. the cursor utils). Turretcss applies a global default style to elements though, and I found no way to disable this in the documentation.

    One could import the files in turret/utility one by one, but that's not a great way to work. Would it be possible to have e.g. a disable-turret-defaults class that could be added on the <body> to disable turret's default styling, or some other simple and proper way to achieve that? Perhaps a bundled/distributed separate import target to get all the utilities at once without the default styles?

    I could have a go at PRing this if you say you're not against the idea, but I don't know if e.g. you consider this out of scope and don't want it.

  • 10

    Fix FUNDING.yml GitHub line

    I suspect the GitHub line was left commented out unintentionally. As a result, the Sponsor button is shown on the repo, however, using it results in GitHub giving back an error:

    The FUNDING.yml file does not currently contain valid funding links.
    Learn more about formatting FUNDING.yml.
    
  • 11

    .position-[corner] classes

    From the position docs: "each position utility class is position: absolute; with top/right/bottom/left properties".

    I think the .position-[corner] classes would be more useful if it didn't automatically add position: absolute;.

    Then you could use them in conjunction with the .position-fixed class to anchor an element to a corner of the page or .position-relative to anchor to a parent relative element without removing it from the flow (maybe a less useful case).

    It's currently not possible to do this because the .position-[corner] classes come after the position-[position] classes, making the element position: absolute;.

  • 12

    Bump decode-uri-component from 0.2.0 to 0.2.2

    Bumps decode-uri-component from 0.2.0 to 0.2.2.

    Release notes

    Sourced from decode-uri-component's releases.

    v0.2.2

    • Prevent overwriting previously decoded tokens 980e0bf

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

    v0.2.1

    • Switch to GitHub workflows 76abc93
    • Fix issue where decode throws - fixes #6 746ca5d
    • Update license (#1) 486d7e2
    • Tidelift tasks a650457
    • Meta tweaks 66e1c28

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 13

    Bump addressable from 2.5.2 to 2.8.1 in /docs

    Bumps addressable from 2.5.2 to 2.8.1.

    Changelog

    Sourced from addressable's changelog.

    Addressable 2.8.1

    • refactor Addressable::URI.normalize_path to address linter offenses (#430)
    • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
    • update gemspec to reflect supported Ruby versions (#466, #464, #463)
    • compatibility w/ public_suffix 5.x (#466, #465, #460)
    • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
    • Ractor compatibility (#449)
    • use the whole string instead of a single line for template match (#431)
    • force UTF-8 encoding only if needed (#341)

    #460: sporkmonger/addressable#460 #463: sporkmonger/addressable#463 #464: sporkmonger/addressable#464 #465: sporkmonger/addressable#465 #466: sporkmonger/addressable#466

    Addressable 2.8.0

    • fixes ReDoS vulnerability in Addressable::Template#match
    • no longer replaces + with spaces in queries for non-http(s) schemes
    • fixed encoding ipv6 literals
    • the :compacted flag for normalized_query now dedupes parameters
    • fix broken escape_component alias
    • dropping support for Ruby 2.0 and 2.1
    • adding Ruby 3.0 compatibility for development tasks
    • drop support for rack-mount and remove Addressable::Template#generate
    • performance improvements
    • switch CI/CD to GitHub Actions

    Addressable 2.7.0

    • added :compacted flag to normalized_query
    • heuristic_parse handles mailto: more intuitively
    • dropped explicit support for JRuby 9.0.5.0
    • compatibility w/ public_suffix 4.x
    • performance improvements

    Addressable 2.6.0

    • added tld= method to allow assignment to the public suffix
    • most heuristic_parse patterns are now case-insensitive
    • heuristic_parse handles more file:// URI variations
    • fixes bug in heuristic_parse when uri starts with digit
    • fixes bug in request_uri= with query strings
    • fixes template issues with nil and ? operator
    • frozen_string_literal pragmas added
    • minor performance improvements in regexps
    • fixes to eliminate warnings
    Commits
    • 8657465 Update version, gemspec, and CHANGELOG for 2.8.1 (#474)
    • 4fc5bb6 CI: remove Ubuntu 18.04 job (#473)
    • 860fede Force UTF-8 encoding only if needed (#341)
    • 99810af Merge pull request #431 from ojab/ct-_do_not_parse_multiline_strings
    • 7ce0f48 Merge branch 'main' into ct-_do_not_parse_multiline_strings
    • 7ecf751 Merge pull request #449 from okeeblow/freeze_concatenated_strings
    • 41f12dd Merge branch 'main' into freeze_concatenated_strings
    • 068f673 Merge pull request #459 from jarthod/iso-encoding-problem
    • b4c9882 Merge branch 'main' into iso-encoding-problem
    • 08d27e8 Merge pull request #471 from sporkmonger/sporkmonger-enable-codeql
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 14

    Bump css-what from 2.1.0 to 2.1.3

    Bumps css-what from 2.1.0 to 2.1.3.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 15

    Bump tzinfo from 1.2.5 to 1.2.10 in /docs

    Bumps tzinfo from 1.2.5 to 1.2.10.

    Release notes

    Sourced from tzinfo's releases.

    v1.2.10

    TZInfo v1.2.10 on RubyGems.org

    v1.2.9

    • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

    TZInfo v1.2.9 on RubyGems.org

    v1.2.8

    • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
    • Rubinius is no longer supported.

    TZInfo v1.2.8 on RubyGems.org

    v1.2.7

    • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
    • Fixed warnings when running on Ruby 2.8. #112.

    TZInfo v1.2.7 on RubyGems.org

    v1.2.6

    • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
    • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
    • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
    • Fixed warnings when running on Ruby 2.7. #106 and #111.

    TZInfo v1.2.6 on RubyGems.org

    Changelog

    Sourced from tzinfo's changelog.

    Version 1.2.10 - 19-Jul-2022

    Version 1.2.9 - 16-Dec-2020

    • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

    Version 1.2.8 - 8-Nov-2020

    • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
    • Rubinius is no longer supported.

    Version 1.2.7 - 2-Apr-2020

    • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
    • Fixed warnings when running on Ruby 2.8. #112.

    Version 1.2.6 - 24-Dec-2019

    • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
    • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
    • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
    • Fixed warnings when running on Ruby 2.7. #106 and #111.
    Commits
    • 0814dcd Fix the release date.
    • fd05e2a Preparing v1.2.10.
    • b98c32e Merge branch 'fix-directory-traversal-1.2' into 1.2
    • ac3ee68 Remove unnecessary escaping of + within regex character classes.
    • 9d49bf9 Fix relative path loading tests.
    • 394c381 Remove private_constant for consistency and compatibility.
    • 5e9f990 Exclude Arch Linux's SECURITY file from the time zone index.
    • 17fc9e1 Workaround for 'Permission denied - NUL' errors with JRuby on Windows.
    • 6bd7a51 Update copyright years.
    • 9905ca9 Fix directory traversal in Timezone.get when using Ruby data source
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 16

    Bump nokogiri from 1.10.4 to 1.13.6 in /docs

    Bumps nokogiri from 1.10.4 to 1.13.6.

    Release notes

    Sourced from nokogiri's releases.

    1.13.6 / 2022-05-08

    Security

    • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    Improvements

    • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

    sha256:

    58417c7c10f78cd1c0e1984f81538300d4ea98962cfd3f46f725efee48f9757a  nokogiri-1.13.6-aarch64-linux.gem
    a2b04ec3b1b73ecc6fac619b41e9fdc70808b7a653b96ec97d04b7a23f158dbc  nokogiri-1.13.6-arm64-darwin.gem
    4437f2d03bc7da8854f4aaae89e24a98cf5c8b0212ae2bc003af7e65c7ee8e27  nokogiri-1.13.6-java.gem
    99d3e212bbd5e80aa602a1f52d583e4f6e917ec594e6aa580f6aacc253eff984  nokogiri-1.13.6-x64-mingw-ucrt.gem
    a04f6154a75b6ed4fe2d0d0ff3ac02f094b54e150b50330448f834fa5726fbba  nokogiri-1.13.6-x64-mingw32.gem
    a13f30c2863ef9e5e11240dd6d69ef114229d471018b44f2ff60bab28327de4d  nokogiri-1.13.6-x86-linux.gem
    63a2ca2f7a4f6bd9126e1695037f66c8eb72ed1e1740ef162b4480c57cc17dc6  nokogiri-1.13.6-x86-mingw32.gem
    2b266e0eb18030763277b30dc3d64337f440191e2bd157027441ac56a59d9dfe  nokogiri-1.13.6-x86_64-darwin.gem
    3fa37b0c3b5744af45f9da3e4ae9cbd89480b35e12ae36b5e87a0452e0b38335  nokogiri-1.13.6-x86_64-linux.gem
    b1512fdc0aba446e1ee30de3e0671518eb363e75fab53486e99e8891d44b8587  nokogiri-1.13.6.gem
    

    1.13.5 / 2022-05-04

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

    Improvements

    • [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

    Changed

    • [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.13.6 / 2022-05-08

    Security

    • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    Improvements

    • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

    1.13.5 / 2022-05-04

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

    Improvements

    • [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

    Changed

    • [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

    1.13.4 / 2022-04-11

    Security

    Dependencies

    • [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
    • [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
    • [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

    ... (truncated)

    Commits
    • b7817b6 version bump to v1.13.6
    • 61b1a39 Merge pull request #2530 from sparklemotion/flavorjones-check-parse-memory-ty...
    • 83cc451 fix: {HTML4,XML}::SAX::{Parser,ParserContext} check arg types
    • 22c9e5b version bump to v1.13.5
    • 6155881 doc: update CHANGELOG for v1.13.5
    • c519a47 Merge pull request #2527 from sparklemotion/2525-update-libxml-2_9_14-v1_13_x
    • 66c2886 dep: update libxml2 to v2.9.14
    • b7c4cc3 test: unpend the LIBXML_LOADED_VERSION test on freebsd
    • eac7934 dev: require yaml
    • f3521ba style(rubocop): pend Style/FetchEnvVar for now
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 17

    color-mod

    color-mod() has been removed from Color Module Level 4 specification.

    Therefore, it's also not possible to use many color turretcss color variables with a standard postcss configuration.

    Additional links: https://github.com/csstools/postcss-color-mod-function