Merge branch 'develop' into trunk

# Conflicts:
#	readme.txt

Author: peterwilsoncc

.github/workflows/build-release-zip.yml

@@ -6,13 +6,17 @@ on:
     branches:
       - trunk
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build release zip
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Generate ZIP file
-        uses: 10up/action-wordpress-plugin-build-zip@stable
+        uses: 10up/action-wordpress-plugin-build-zip@b9e621e1261ccf51592b6f3943e4dc4518fca0d1 # v1.0.2

.github/workflows/close-stale-issues.yml

@@ -15,7 +15,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           days-before-stale: 7
           days-before-close: 7
@@ -33,4 +33,3 @@ jobs:
           close-issue-reason: 'not_planned'
           any-of-labels: 'needs:feedback'
           remove-stale-when-updated: true
-          

.github/workflows/cypress.yml

@@ -8,35 +8,48 @@ on:
   pull_request:
     branches:
       - develop
+
+permissions:
+  contents: read
+
 jobs:
   cypress:
     name: ${{ matrix.core.name }}
     runs-on: ubuntu-latest
+
     env:
       CYPRESS_MICROSOFT_AZURE_ACCOUNT_NAME: ${{ secrets.MICROSOFT_AZURE_ACCOUNT_NAME }}
       CYPRESS_MICROSOFT_AZURE_ACCOUNT_KEY: ${{ secrets.MICROSOFT_AZURE_ACCOUNT_KEY }}
       CYPRESS_MICROSOFT_AZURE_CONTAINER: ${{ secrets.MICROSOFT_AZURE_CONTAINER }}
       CYPRESS_MICROSOFT_AZURE_USE_FOR_DEFAULT_UPLOAD: ${{ secrets.MICROSOFT_AZURE_USE_FOR_DEFAULT_UPLOAD }}
+
     strategy:
       matrix:
         core:
           - {name: 'WP latest', version: 'latest'}
-          - {name: 'WP minimum', version: 'WordPress/WordPress#6.4'}
+          - {name: 'WP minimum', version: 'WordPress/WordPress#6.6'}
           - {name: 'WP trunk', version: 'WordPress/WordPress#master'}
+
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
     - name: Install dependencies
       run: npm install
+
     - name: Composer (optional)
       run: composer install
       continue-on-error: true
+
     - name: Build (optional)
       run: npm run build
       continue-on-error: true
+
     - name: Set the core version
       run: ./tests/bin/set-core-version.js ${{ matrix.core.version }}
+
     - name: Set up WP environment
       run: npm run env:start
+
     - name: Test
       run: npm run cypress:run

.github/workflows/dependency-review.yml

@@ -15,6 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v1
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3

.github/workflows/php-compatibility.yml

@@ -1,5 +1,8 @@
 name: PHP Compatibility
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -16,10 +19,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set PHP version
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
         with:
           php-version: 8.0
           tools: composer:v2
@@ -29,4 +32,4 @@ jobs:
         run: composer install
 
       - name: Run PHP Compatibility
-        run: vendor/bin/phpcs windows-azure-storage.php includes/ -p --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 8.0-
+        run: vendor/bin/phpcs windows-azure-storage.php includes/ -p --standard=PHPCompatibilityWP --extensions=php --runtime-set testVersion 8.0-

.github/workflows/push-asset-readme-update.yml

@@ -1,16 +1,22 @@
 name: Plugin asset/readme update
+
 on:
   push:
     branches:
     - trunk
+
 jobs:
   trunk:
     name: Push to trunk
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
     - name: WordPress.org plugin asset/readme update
-      uses: 10up/action-wordpress-plugin-asset-update@stable
+      uses: 10up/action-wordpress-plugin-asset-update@2480306f6f693672726d08b5917ea114cb2825f7 # v2.2.0
       env:
         SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
-        SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+        SVN_USERNAME: ${{ secrets.SVN_USERNAME }}

.github/workflows/push-deploy.yml

@@ -1,16 +1,22 @@
 name: Deploy to WordPress.org
+
 on:
   push:
     tags:
     - "*"
+
 jobs:
   tag:
     name: New tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
     - name: WordPress Plugin Deploy
-      uses: 10up/action-wordpress-plugin-deploy@stable
+      uses: 10up/action-wordpress-plugin-deploy@54bd289b8525fd23a5c365ec369185f2966529c2 # v2.3.0
       env:
         SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
         SVN_USERNAME: ${{ secrets.SVN_USERNAME }}

.github/workflows/wordpress-version-checker.yml

@@ -1,4 +1,5 @@
 name: "WordPress version checker"
+
 on:
   push:
     branches:
@@ -18,6 +19,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: WordPress version checker
-        uses: skaut/wordpress-version-checker@master
+        uses: skaut/wordpress-version-checker@9d247334f5b30202cb9c1f4aee74c52f37399f69 # v2.2.3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [4.5.2] - 2025-10-29
+### Security
+- Add capability check when replacing media to prevent privilege escalation by authenticated users (props [@peterwilsoncc](https://github.com/peterwilsoncc), [@dkotter](https://github.com/dkotter) via [GHSA-pwm5-mwxv-fjrh](https://github.com/10up/windows-azure-storage/security/advisories/GHSA-pwm5-mwxv-fjrh), [CVE-2025-10749](https://www.cve.org/CVERecord?id=CVE-2025-10749))
+- Bump `minimatch` from 4.0.7 to 4.0.8 (props [@dependabot](https://github.com/apps/dependabot) via [#253](https://github.com/10up/windows-azure-storage/pull/253)).
+
+### Changed
+- Bump WordPress "tested up to" version 6.7 (props [@mehidi258](https://github.com/mehidi258), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@hugosolar](https://github.com/hugosolar) via [#259](https://github.com/10up/windows-azure-storage/pull/259)).
+- Bump WordPress "tested up to" version 6.7 (props [@QAharshalkadu](https://github.com/QAharshalkadu), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#264](https://github.com/10up/windows-azure-storage/pull/264)).
+
+### Developer
+- Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#262](https://github.com/10up/windows-azure-storage/pull/262)).
+- Updated GitHub Action workflow permissions (props [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#265](https://github.com/10up/windows-azure-storage/pull/265)).
+- Clarified all license references to explicitly reference BSD-2-Clause (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#269](https://github.com/10up/windows-azure-storage/pull/269)).
+
 ## [4.5.1] - 2024-07-17
 ### Fixed
 - Fix path issue that duplicates the container name in URL paths (props [@hugosolar](https://github.com/hugosolar), [@cally423](https://github.com/cally423), [@Besdima](https://github.com/Besdima), [@ms2oo8](https://github.com/ms2oo8), [@BCornelissen](https://github.com/BCornelissen), [@dkotter](https://github.com/dkotter) via [#246](https://github.com/10up/windows-azure-storage/pull/246)).
@@ -289,6 +303,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - First release of Microsoft Azure Storage plugin for WordPress.
 
 [Unreleased]: https://github.com/10up/windows-azure-storage/compare/trunk...develop
+[4.5.2]: https://github.com/10up/windows-azure-storage/compare/4.5.1...4.5.2
 [4.5.1]: https://github.com/10up/windows-azure-storage/compare/4.5.0...4.5.1
 [4.5.0]: https://github.com/10up/windows-azure-storage/compare/4.4.2...4.5.0
 [4.4.2]: https://github.com/10up/windows-azure-storage/compare/4.4.1...4.4.2

CREDITS.md

@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Microsoft Open Technologies (@msopentech)](https://github.com/msopentech), [10up (@10up)](https://github.com/10up), [Morgan Estes (@morganestes)](https://github.com/morganestes), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Allan Collins (@allan23)](https://github.com/allan23), [(@jpaarhuis)](https://github.com/jpaarhuis), [Thorsten Ott (@tott)](https://github.com/tott), [Scott Lee (@scottlee)](https://github.com/scottlee), [Emmanuel Fidelino (@EmmanF)](https://github.com/EmmanF), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [(@mrgregwaugh)](https://github.com/mrgregwaugh), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks), [Brad Parbs (@bradp)](https://github.com/bradp), [Bibin Kurian (@bibinkurian)](https://github.com/bibinkurian), [Anu Thomas Chandy (@anuchandy)](https://github.com/anuchandy), [Suman Chawla (@suchawla)](https://github.com/suchawla), [(@mksunitha)](https://profiles.wordpress.org/mksunitha/), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Jay Wood (@jaywood)](https://github.com/jaywood), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Ricky Lee Whittemore (@rickalee)](https://github.com/rickalee), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Kentaro Ohkouchi (@nanasess)](https://github.com/nanasess), [David Greenwald (@davidegreenwald)](https://github.com/davidegreenwald), [Shah Qureshi (@ShahAaron)](https://github.com/ShahAaron), [(@lostfields)](https://github.com/lostfields), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Jake Edwards (@ShadowXVII)](https://github.com/ShadowXVII), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [(@cally423)](https://github.com/cally423), [(@FreuxF)](https://github.com/FreuxF), [Eric Greenfield (@saltnpixels)](https://github.com/saltnpixels), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Max Lyuchin (@cadic)](https://github.com/cadic), [Marius L. Jensen (@Clorith)](https://github.com/Clorith), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Debabrata Karfa (@debabratakarfa)](https://github.com/debabratakarfa), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Andrew Herder (@superpowered)](https://github.com/superpowered), [Giovanbattista Amato (@gioamato)](https://github.com/gioamato), [Barney Jeffries (@barneyjeffries)](https://github.com/barneyjeffries), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Harshal Kadu (@QAharshalkadu)](https://github.com/QAharshalkadu), [Radovan Šmitala (@radeno)](https://github.com/radeno), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Hugo Solar (@hugosolar)](https://github.com/hugosolar), [Mark Waser (@MWaser)](https://github.com/MWaser), [Oka Tai-Lee (@okadots)](https://github.com/okadots), [Sarah Nicholson (@sarahannnicholson)](https://github.com/sarahannnicholson), [Nicola Peluchetti (@nicoladj77)](https://github.com/nicoladj77), [Shakir Ali (@engrshakirali)](https://github.com/engrshakirali), [Ali Awwad (@ali-awwad)](https://github.com/ali-awwad), [(@glowmedia)](https://github.com/glowmedia), [Besdima (@Besdima)](https://github.com/Besdima), [(@ms2oo8)](https://github.com/ms2oo8), [Bob Cornelissen (@BCornelissen)](https://github.com/BCornelissen).
+[Microsoft Open Technologies (@msopentech)](https://github.com/msopentech), [10up (@10up)](https://github.com/10up), [Morgan Estes (@morganestes)](https://github.com/morganestes), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Allan Collins (@allan23)](https://github.com/allan23), [(@jpaarhuis)](https://github.com/jpaarhuis), [Thorsten Ott (@tott)](https://github.com/tott), [Scott Lee (@scottlee)](https://github.com/scottlee), [Emmanuel Fidelino (@EmmanF)](https://github.com/EmmanF), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [(@mrgregwaugh)](https://github.com/mrgregwaugh), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks), [Brad Parbs (@bradp)](https://github.com/bradp), [Bibin Kurian (@bibinkurian)](https://github.com/bibinkurian), [Anu Thomas Chandy (@anuchandy)](https://github.com/anuchandy), [Suman Chawla (@suchawla)](https://github.com/suchawla), [(@mksunitha)](https://profiles.wordpress.org/mksunitha/), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Jay Wood (@jaywood)](https://github.com/jaywood), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Ricky Lee Whittemore (@rickalee)](https://github.com/rickalee), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Kentaro Ohkouchi (@nanasess)](https://github.com/nanasess), [David Greenwald (@davidegreenwald)](https://github.com/davidegreenwald), [Shah Qureshi (@ShahAaron)](https://github.com/ShahAaron), [(@lostfields)](https://github.com/lostfields), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Jake Edwards (@ShadowXVII)](https://github.com/ShadowXVII), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [(@cally423)](https://github.com/cally423), [(@FreuxF)](https://github.com/FreuxF), [Eric Greenfield (@saltnpixels)](https://github.com/saltnpixels), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Max Lyuchin (@cadic)](https://github.com/cadic), [Marius L. Jensen (@Clorith)](https://github.com/Clorith), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Debabrata Karfa (@debabratakarfa)](https://github.com/debabratakarfa), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Andrew Herder (@superpowered)](https://github.com/superpowered), [Giovanbattista Amato (@gioamato)](https://github.com/gioamato), [Barney Jeffries (@barneyjeffries)](https://github.com/barneyjeffries), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Harshal Kadu (@QAharshalkadu)](https://github.com/QAharshalkadu), [Radovan Šmitala (@radeno)](https://github.com/radeno), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Hugo Solar (@hugosolar)](https://github.com/hugosolar), [Mark Waser (@MWaser)](https://github.com/MWaser), [Oka Tai-Lee (@okadots)](https://github.com/okadots), [Sarah Nicholson (@sarahannnicholson)](https://github.com/sarahannnicholson), [Nicola Peluchetti (@nicoladj77)](https://github.com/nicoladj77), [Shakir Ali (@engrshakirali)](https://github.com/engrshakirali), [Ali Awwad (@ali-awwad)](https://github.com/ali-awwad), [(@glowmedia)](https://github.com/glowmedia), [Besdima (@Besdima)](https://github.com/Besdima), [(@ms2oo8)](https://github.com/ms2oo8), [Bob Cornelissen (@BCornelissen)](https://github.com/BCornelissen), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258).
 
 ## Libraries