Proc-level $SAFE change does no longer make sense. This should be deprecated and then removed. But the problem is that the position of safe_level argument is in the middle of argument list of ERB#initialize.
So to remove it safely, we should make them keyword arguments and deprecate the current non-keyword-argument interface. Having both interfaces would be backward-compatible because all of arguments don't take {}.
ERB.new("<%= 'foo' %>", 1, '%', '_erbout') # print deprecation in 2.6 if argc >= 2, and removed in later version
ERB.new("<%= 'foo' %>", trim_mode: '%', eoutvar: '_erbout') # no safe_level support from first
Also, as it's in the middle of the list of 4 arguments, 3rd and 4th arguments
(trim_mode, eoutvar) are changed to keyword arguments.
Old ways to specify arguments are deprecated and warned now.
Ruby 2.5's ERB.new interface will continue to be available until Ruby 2.5 becomes EOL. So you don't need to branch ERB.new usage in many places. The deprecation warning is shown only when "-w" (or "-W2") flag is explicitly added.
If you're even against having deprecation warning on warn level 2, please add comments here. I may postpone it.
Updated by