As written (in the newly updated version of this PR), no, you'd be outta luck. [...] The consequences of oopsing it on one post won't be very large. [...] Anyway, I think I feel fairly comfortable leaving that as a problem to solve if-and-when.

Reasonable!

Are you trying to curdle all the milk in my fridge, or what. 😅

Haha, I'm adding this to the "quotes" section of my résumé. ;-)

But I think the most likely scenario would be that, as a matter of ops policy, mark and co would want to get vulnerable code OUT of the site in as complete a way as possible, even if we were pretty sure there were no sploits hiding in old posts.

And you might have to, e.g. if a software package becomes no longer feasibly available for the server environment.

Mismatch detection could be done with a dark launch. Run both formatter versions on the source, only use the output of the old one, and log the IDs of posts and comments where the mismatch occurred (and whether exceptions were caught on the new one). No need for a full DB scan, at least at first.

Tangent: For random sampling, I'm imagining you could even do a privacy-preserving transform on source and output HTML, where you replace all letters with "a" and all digits with "1" to allow you to look at non-public content where a mismatch was detected. (Sufficient? Acceptable by DW internal standards? No idea!)

Anyway, sounds like there are plenty of options and no decision is needed ahead of time. Agree that fix-forward is probably fine.