Remove `thecodingmachine/safe` dependency by SjorsO · Pull Request #1484 · MyIntervals/PHP-CSS-Parser

SjorsO · 2026-01-27T18:56:46Z

This PR achieves the same as #1482 but with a different approach.

I've kept the thecodingmachine/phpstan-safe-rule PHPStan rule. I've disabled this rule for test classes, I don't think these unsafe functions are a concern in unit testing code.

The maintenance burden of this PR is lower than my previous PR. With this approach, any new code that uses unsafe functions will fail the PHPStan check. This code can then be changed to explicitly check for false, and then the PHPStan error can be ignored with /** @phpstan-ignore theCodingMachineSafe.function */

SjorsO · 2026-01-27T18:57:51Z

src/Parsing/ParserState.php

            }
-            return iconv('utf-32le', $this->charset, $utf32EncodedCharacter);
+            /** @phpstan-ignore theCodingMachineSafe.function */
+            return \iconv('utf-32le', $this->charset, $utf32EncodedCharacter);


The ?string typehint on this method will throw if iconv returns false

SjorsO · 2026-01-27T18:58:57Z

src/Parsing/ParserState.php

-        if (preg_match($expression, $input, $matches, PREG_OFFSET_CAPTURE) !== 1) {
+        /** @phpstan-ignore theCodingMachineSafe.function */
+        if (\preg_match($expression, $input, $matches, PREG_OFFSET_CAPTURE) !== 1) {
            throw new UnexpectedTokenException($expression, $this->peek(5), 'expression', $this->lineNumber);


No need to check for false here. If this preg_match returns false then we'll already throw an exception

SjorsO · 2026-01-27T18:59:36Z

src/Property/Selector.php

        // Whitespace can't be adjusted within an attribute selector, as it would change its meaning
-        $this->selector = !$hasAttribute ? preg_replace('/\\s++/', ' ', $selector) : $selector;
+        /** @phpstan-ignore theCodingMachineSafe.function */
+        $this->selector = !$hasAttribute ? \preg_replace('/\\s++/', ' ', $selector) : $selector;


preg_replace cannot return false. The dependency has preg_replace as a special case.

I think it should be fine to use the normal version of preg_replace

According to https://www.php.net/manual/en/function.preg-replace.php#refsect1-function.preg-replace-returnvalues, it can return a string, an array or null.

You're right, I missed that. I've pushed a commit that checks for null

coveralls · 2026-01-27T19:01:07Z

coverage: 70.34% (-1.0%) from 71.315%
when pulling 2320afc on SjorsO:explicitly-check-for-false
into 9641004 on MyIntervals:main.

SjorsO · 2026-01-27T19:05:29Z

src/Value/CalcFunction.php

+                            /** @phpstan-ignore theCodingMachineSafe.function */
                            preg_match('/\\s/', $parserState->peek(1, -1)) !== 1
+                            /** @phpstan-ignore theCodingMachineSafe.function */
                            || preg_match('/\\s/', $parserState->peek(1, 1)) !== 1


if either of these returns false we'll already throw an exception

JakeQZ · 2026-01-28T00:44:33Z

Appreciate your efforts, @SjorsO (code changes look solid), but I honestly don't think this is the best way forward. I think we need to resolve the bloat in the in the 'Safe' package, for which I created thecodingmachine/safe#706, and have had a response.

SjorsO · 2026-01-28T03:57:17Z

... but I honestly don't think this is the best way forward. I think we need to resolve the bloat in the in the 'Safe' package

Given how widely used PHP-CSS-Parser and emogrifier are, I consider getting rid of any dependency a huge win.

Even if thecodingmachine/safe manages to slim down and remove all the docblocks and other PHP versions, it still autoloads 79 files that contain 1100+ functions (!!), I find this hard to justify, especially considering the alternative is simply checking for false.

I think this PR is a nice middle ground: no dependency that thousands of people have to install, but still a PHPStan rule that warns about unsafe usage during development.

JakeQZ · 2026-01-29T01:19:29Z

thecodingmachine/safe#660 is another reason to avoid using this dependency. In WordPress, each plugin (or theme) brings in its own versions of each dependency, which leads to conflicts, though, in fairness, that is an issue with WordPress.

oliverklee · 2026-02-09T21:36:07Z

Marking this as draft as we're currently working to drastically shrink that package in thecodingmachine/safe#706.

We should revisit this PR here once a new version of Safe has been released.

JakeQZ · 2026-02-15T17:11:13Z

Marking this as draft as we're currently working to drastically shrink that package in thecodingmachine/safe#706.

We should revisit this PR here once a new version of Safe has been released.

With version 3.4, the size is reduced from 6.31Mb to 1.58Mb.

To put it in context, this is comparable to the size of one or two photos in HD quality.

Another factor that impacts website managers is the number of individual files. Hosting providers using cPanel usually impose a limit on the number of file handles. The new version reduces the number of files from 573 to 318.

The new version is only availble for PHP versions >=8.1, and I don't expect will be backported - the older PHP versions are already EOL.

Where do we go from here?

I have no strong opinion, but don't see the download size and number of files as a significant impact, and would prefer to use the library to keep the code robust and clean, without having to implement additional checks and tests.

oliverklee · 2026-02-15T17:17:05Z

but don't see the download size and number of files as a significant impact, and would prefer to use the library to keep the code robust and clean, without having to implement additional checks and tests.

I fully agree.

SjorsO · 2026-02-16T02:34:30Z

For the record, I still strongly feel that adding 1.58mb and 318 files to thousands (millions?) of applications is way too much.

Removing this dependency is a good step to prevent everyone's vendor directory from turning into a second node_modules.

Remove thecodingmachine/safe dependency

2332f66

SjorsO commented Jan 27, 2026

View reviewed changes

SjorsO mentioned this pull request Jan 27, 2026

Remove thecodingmachine/safe dependency #1482

Draft

check preg_replace for null results

2320afc

oliverklee changed the title ~~Remove thecodingmachine/safe dependency (2)~~ Remove thecodingmachine/safe dependency Jan 28, 2026

oliverklee marked this pull request as draft February 9, 2026 21:34

Comments

Conversation

SjorsO commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

SjorsO Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

SjorsO Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

SjorsO Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

oliverklee Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

SjorsO Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

coveralls commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

SjorsO Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

JakeQZ commented Jan 28, 2026

Uh oh!

SjorsO commented Jan 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

JakeQZ commented Jan 29, 2026

Uh oh!

oliverklee commented Feb 9, 2026

Uh oh!

JakeQZ commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oliverklee commented Feb 15, 2026

Uh oh!

SjorsO commented Feb 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

SjorsO commented Jan 27, 2026 •

edited

Loading

SjorsO Jan 27, 2026 •

edited

Loading

coveralls commented Jan 27, 2026 •

edited

Loading

SjorsO commented Jan 28, 2026 •

edited

Loading

JakeQZ commented Feb 15, 2026 •

edited

Loading