We Spent Years Hardening Jinja2 in User Config. We're Removing It Instead.

Mergify has decided to remove the Jinja2 templating feature from its user configuration after years of maintenance challenges and security concerns. Initially, Jinja2 was used to allow users to template merge commit messages with flexibility, but the ongoing need to patch security vulnerabilities and address upstream bugs became burdensome. An analysis of user configurations revealed that most users employed simple templates, prompting the switch to a narrow declarative schema that better aligns with actual usage patterns. This new schema offers predefined options like inheriting titles or bodies from pull requests and simplifies the process by leveraging GitHub's existing settings without introducing new vulnerabilities. As security threats have evolved, the company recognized the need to update its approach, emphasizing that flexible features serve as valuable research tools but can become liabilities if not periodically reviewed and refined. Mergify continues to use Jinja2 in other areas, but each usage is being re-evaluated to determine if a more secure, narrow schema can be implemented.