3.0.1

Increases requirements for PHPCS from 3.7.2 to 3.9.2 for improved PHP 8.2 and PHP 8.3 support. Please ensure you run composer update automattic/vipwpcs --with-dependencies to benefit from this.

Removed

• Functions/RestrictedFunctions:
  • #812: Remove restricting term_exists().
  • #814: Remove restricting get_page_by_title().
  • #817: Remove restricting get_page_by_path().

Changed

• #799: Classes/DeclarationCompatibility: Sync signature definitions with WP Core.

Full Changelog: 3.0.0...3.0.1

3.0.0

Props: @GaryJones, @jrfnl

This release requires WordPressCS 3.0.0. It is not compatible with WordPressCS 2.x. Users should read the WordPressCS 3.0 upgrade guide for end-users.

Increases requirements for PHPCS from 3.7.1 to 3.7.2.

The tagged releases branch is now main instead of master.

Added

• #777: 3.0: start using PHPCSUtils.
• #779: 3.0: support WordPressCS 3.0.

Changed

• #780: Performance/WPQueryParams: defer to the parent sniff.
  • Two error codes changed:
    • WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn is now WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in.
    • WordPressVIPMinimum.Performance.WPQueryParams.SuppressFiltersTrue is now WordPressVIPMinimum.Performance.WPQueryParams.SuppressFilters_suppress_filters.

Removed

• #774: Performance/BatcacheWhitelistedParams: remove the sniff.
• #775: Compatibility/Zoninator: remove the sniff.
• #776: Variables/VariableAnalysis: remove the sniff.

Fixed

• #784: Performance/WPQueryParams: prevent false positives for 'exclude' with get_users().
• #788: Security/Mustache: prevent false positives on block editor templates.

Maintenance

• #778: CS: improve use statements.
• #781: Performance/NoPaging: add extra tests.
• #782: GH Actions: minor tweaks to the composer options used.
• #783: Hooks/AlwaysReturnInFilter: remove redundant condition.
• #785: Docs: remove redundant @package tags.
• #786: Add PHPStan to QA checks.
• #787: GH Actions: tweak the way the PHPCS/WPCS versions are set.
• #789: Updates related to branch rename from master to main.
• #790: PHPUnit: Use 7.5 schema.
• #791: Docs: Update CONTRIBUTING.md.

2.3.1

Props: @jrfnl

Fixed

• #668: ProperEscapingFunction: fix overreach of comma usage in non-echo expressions for notAttrEscAttr.
• #670: ProperEscapingFunction: improve "action" match precision for hrefSrcEscUrl.

Deprecated

• #670: ProperEscapingFunction: private properties $url_attrs and $attr_endings are deprecated along with the public methods is_html_attr() and attr_expects_url().

2.3.4

Props: @kshaner, @GaryJones, @jrfnl, @yolih

Increases requirements for PHPCS from 3.5.5+ to 3.7.1.

Fixed

• #709: Add get_theme_file_path() to list of allowed include functions.
• #762: IncludingFile: allow for more path-returning functions.
• #748: ProperEscapingFunction: Fix short tag detection.
• #760: RestrictedFunctions: remove reference to function which doesn't exist.

Changed

• #768: DeclarationCompatibility: performance improvement.

• Rulesets:

  • #763: Move VariableAnalysis configuration from Go to Minimum.
  • #765: Fix the names.

• Composer:

  • #742: Up the minimum PHPCS version to 3.7.1.
  • #764: Update VariableAnalysis dependency to 2.11.17.
  • #738: Allow for the 1.0.0 version of the Composer PHPCS plugin.
  • #721: Update composer.json keywords.
  • #714: Update PHP Parallel Lint and Console Highlighter.
  • #741: Update script names.
  • #747: Fix script references.
  • #708: Update references to the Composer plugin.

• Tests:

  • #735: Unit tests: Support PHP >= 8.1.
  • #746: Fix checks for PHP 8.1 and above.
  • #737: AdminBarRemovalUnitTest: Ensure final reset is read.

• Coding Standards

  • #733: Fix coding standards of VIPCS sniffs.
  • #756: Remove extra line at end of classes.
  • #758: Simplifications of sniffs extending the WPCS AbstractArrayAssignmentRestrictionsSniff.
  • #761: RegexpCompare: remove redundant condition.
  • #771: QA: fix condition order.

• CI:

  • #705: Various updates.
  • #750: Test Higher PHP versions.
  • #724: Fix use of deprecated set-output.
  • #725: Update the xmllint-problem-matcher.
  • #726: Various tweaks.
  • #728: Bust the cache semi-regularly.
  • #711: Version update for various predefined actions.
  • #712: Fix build failure.
  • #755: Validate the PHPCS installed standards.
  • #757: Test and Quicktest tweaks.
  • #767: Minor simplifications.
  • #769: .gitattributes: readability improvement.

• Docs:

  • #722: Updated Docs link for ORDER BY RAND().
  • #707: README: update requirements listing.
  • #706: README: update for Composer 2.2.
  • #766: Various minor doc fixes.
  • #759: Bug template: make version table more comprehensive.
  • #770: Docs: various tag improvements.

Deprecated

• #612: The WordPressVIPMinimum.Compatibility.Zoninator sniff is (soft) deprecated and will be removed in the 3.0.0 release.
• #613: The WordPressVIPMinimum.Performance.BatcacheWhitelistedParams sniff is (soft) deprecated and will be removed in the 3.0.0 release.

2.3.3

Props: @gudmdharalds, @jrfnl , @BrookeDot, @rebeccahum

Changed

• #690: Ruleset: do not flag undefined variables in file scope or unused variables before require statement.
• #691: Composer: use VariableAnalysis 2.11.1.
• #694: PHPCS: enable caching for quicker scanning.
• #697: ProperEscapingFunction: upgrade htmlAttrNotByEscHTML to default severity level.

Removed

• #692: RestrictedFunctions: remove dbDelta group.

2.3.2

Props: @jrfnl

Fixed

• #681: ProperEscapingFunction: improve attribute matching accuracy for notAttrEscAttr.

2.3.0

Props: @jrfnl, @rebeccahum, @kevinfodness, @GaryJones.

** There is a minor breaking change in the ProperEscapingFunction sniff from PR #624. The escaping_function property can no longer be overruled via custom rulesets. Please remove any usages of the property in custom rulesets.

** Composer now requires the phpcodesniffer-composer-installer plugin per #583. Note: If you either include it in the "require-dev" of your composer.json, use another Composer PHPCS plugin, or run bash commands to register PHPCS standards, please remove it from those sources to prevent interferences or version constraint conflicts.

Added

• #581: AlwaysReturnInFilter: flag abstract methods for manual inspection.
• #583: Composer: require phpcs-composer-installer plugin.
• #586: IncludingNonPHPFile: recognition of .phar file extensions.
• #589: WPQueryParams: flags 'exclude' array key.
• #595: Underscorejs: checks for additional print syntaxes and now throws an additional error for each occurrence of unescaped notation.
• #624: ProperEscapingFunction: account for additional escaping functions and check for esc_attr() usage in non-HTML attributes.
• #638: IncludingFile: new public property $allowedKeywords for allowing custom partial keywords in constants to reduce false positives.

Changed

• #586: IncludingNonPHPFile: various performance improvements.
• #587: LowExpiryCacheTime: new warning added for manual inspection along with various improvements.
• #592: DynamicCalls: various improvements.
• #595: Underscorejs: various improvements.
• #618: RestrictedFunctions: upgrade setcookie() to error at sniff level and remove Batcache references from messaging.
• #620: Ruleset: silence UnusedVariable from VariableAnalysis to reduce noise.
• #630: VariableAnalysis: fix incompatibility for VariableAnalysis standard with previously deprecated native VIPCS sniff.
• #639: RestrictedFunctions: remove site_option group.
• #644: RestrictedFunctions: remove wp_cache_get_multi group.
• #645: Ruleset: silence WordPress.WP.AlternativeFunctions.file_system_read_readfile.
• #646: Ruleset: silence WordPress.WP.AlternativeFunctions.file_system_read_fclose.
• #647: RestrictedFunctions: remove get_super_admins group.
• #649: RestrictedFunctions: downgrade switch_to_blog() to warning and change messaging.
• #652: RestrictedFunctions/RestrictedVariables: remove usermeta related errors.

Fixed

• #444: ConstantString: only error when a plain constant is passed as constant name parameter.
• #581: AlwaysReturnInFilter: fix runtime failure on abstract methods.
• #584: Performance: more selective sniffing for efficiency.
• #586: IncludingNonPHPFile: various bug fixes such as recognition of interpolated strings and case insensitivity in file extensions.
• #587: LowExpiryCacheTime: allow arithmetic operators, simple floats, numerical strings, zeroes and parentheses in calculations, and FQN time constants.
• #592: DynamicCalls: ignore comments, allow double quotes and remove potential memory leak.
• #595: Underscorejs: fixed false positive for when a variable is _.escape()-ed.
• #624: ProperEscapingFunction: slash escaped quotes and non-quoted strings in HTML attributes are now parsed as expected.

Removed

• #624: ProperEscapingFunction: remove $escaping_functions public property.

Maintenance

• #582: CI: re-try composer install on failure.
• #599: CI: add build against PHP 8.
• #606: Ruleset: remove redundant rule ref.
• #607: Ruleset: remove redundant rule ref.
• #608: Ruleset: remove duplicate rule ref.
• #611: Ruleset: remove redundant notice type declaration.
• #617: Ruleset: remove redundant notice type declaration.
• #619: Docs: Update links to wpvip.com.
• #631: QA: remove unused use statements.
• #632: Docs: various minor improvements (typos, alignment and code examples).
• #633: CI: switch to GitHub Actions.
• #635: Ruleset: remove redundant rule ref.
• #653: CI: use parallel linting of PHP files.
• #655: QA: remove redundant ignore annotations.
• #656: CI: always check that sniffs are feature complete.
• #657: CI: add "quicktest" stage for non-PR/merge builds.
• #658: Release template: add checkbox for dependency check.

2.2.0

Props: @GaryJones, @jrfnl, @rebeccahum.

Technically, there's a breaking change due to the use of the VariableAnalysis package over the previous sniff. If you have WordPressVIPMinimum.Variables.Variables references in your PHPCS config file or in inline ignore comments, then these will need to be updated to VariableAnalysis.CodeAnalysis.VariableAnalysis.

Added

• #494: .gitattributes file.
• #495: CODEOWNERS file.
• #450: VariableAnalysis package.
• #560: Allow checking test code coverage.
• #579: Docs: Add comparisons and props to change log for old versions.

Changed

• #500: Travis: change from "trusty" to "xenial".
• #501: Move and improve CONTRIBUTING.md.
• #502: CS Ruleset: minor tweaks.
• #508: RulesetTest: don't use the system default version of PHP.
• #558: Test bootstrap: various minor tweaks.
• #571: CS: change yoda conditions to non-yoda.
• #573: Composer: Change minimum stability to stable.

Fixed

• #503: RulesetTest, fix compatibility with Windows.
• #504: RulesetTest: fail the build on failing ruleset tests, fix the failing ruleset test, and fix the test script to handle 0 values.
• #505: DeclarationCompatibility: fix incorrect signature check for Walker::walk().
• #509: RulesetTest: Revert #485 and fix one of the three causes properly.
• #559: Variables/RestrictedVariables: fix namespace of unit test file, fix the test.
• #561: Functions/RestrictedFunctions: fix false positive on class instantiation.
• #563: Hooks/AlwaysReturnInFilter: add support for hook-ins using short arrays.
• #564: Hooks/PreGetPosts: add support for hook-ins using short arrays.
• #565: PreGetPosts: improve the isEarlyMainQueryCheck() method.
• #566: RestrictedFunctions: fix false negative - functions in config_settings would never match.
• #569: RestrictedVariables: don't report on "use" in isset().
• #575: ProperEscaping: Fix message for action attribute.
• #576: Docs: Update notes for releasing.

Deprecated

• #450: Deprecate Variables/VariableAnalysisSniff. Will be removed in the next major release.

2.1.0

Bumps requirements to PHPCS 3.5.5+ and WPCS 2.3.0+.

Added

• get_page_by_path() restricted function warning, to suggest wpcom_vip_get_page_by_path() function.
• stats_get_csv() restricted function error, since this is a Jetpack-only function.
• Expanded list of HTMLExecutingFunctions to include after, appendTo, before, insertAfter, insertBefore, prepend, prependTo, replaceAll and replaceWith.
• Support PHP 5.4+ (down from 5.6+).
• PHP 8 nightly testing.

Changed

• Expand message for wp_remote_get() usage.
• Downgrade append() usage violation from Error to Warning for VIP Go, to be consistent with the other HTMLExecutingFunctions.
• Downgrade AdminBarRemoval sniff from Error to Warning for VIP Go.
• Add get_parent_theme_file_path() to safelist of path functions for WordPressVIPMinimum.Files.IncludingFile sniff.
• Allow short array syntax and fix tests within the VIPCS own coding standards.
• Update issue templates.

Fixed

• Use new WordPress.DateTime.RestrictedFunctions sniff instead of deprecated WordPress.WP.TimezoneChange.
• Fixed warnings and information items in Travis.

Removed

• get_super_admins() restricted function rule for VIP Go.
• WordPressVIPMinimum.VersionControl.MergeConflict sniff in favour of Generic.VersionControl.GitMergeConflict.

2.0.0

This release switches from having WordPress Coding Standards (WPCS) 1.* as a dependency, to WPCS 2.*.

It is not compatible with WPCS 1.*.

The sniffs in WPCS 2.* are more accurate, so you may see new violations there weren't being reported before, and a reduction in violations for false positives.

Added

• Switch to using WPCS 2.*.
  • Remove reference to WPCS's PHPAliases.php.
  • Remove WPCS 1.*'s WordPress.VIP references from rulesets.
  • Bump PHPCS minimum required version to 3.3.1.
  • Update the WPCS namespace.
  • Update ruleset and ruleset test to account for WPCS 2's switch to WordPress.PHP.IniSet sniff.
  • Update ruleset test for WPCS security sniffs.
  • Update DiscouragedPHPFunctions group exclusion in WordPressVIPMinimum ruleset.

Changed

• Downgrade use of file operation functions from Error to Warning:
  • delete
  • file_put_contents
  • flock
  • fputcsv
  • fputs
  • fwrite
  • ftruncate
  • is_writable
  • is_writeable
  • link
  • rename
  • symlink
  • tempnam
  • touch
  • unlink
  • fclose
  • fopen
  • file_get_contents
• Simplify Travis config.
• Switch references from vip.wordpress.com to wpvip.com.
• Documentation updates.
• Switch development to a git-flow workflow.