You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Release date tentatively set to this Tuesday November 25th.
Already includes entry for PR 2656 on the assumption that it will be merged in time for the release.
Includes removing a stray header.
Includes minor formatting consistency fixes for the file.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+65-15Lines changed: 65 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,69 @@ This projects adheres to [Semantic Versioning](https://semver.org/) and [Keep a
8
8
9
9
_No documentation available about unreleased changes as of yet._
10
10
11
+
## [3.3.0] - 2025-11-25
12
+
13
+
### Added
14
+
- Support for attributes on anonymous classes (PHP 8.0) and `readonly` anonymous classes (PHP 8.3) to the `WordPress.Security.EscapeOutput` sniff. Props [@rodrigoprimo]. [#2559]
15
+
- Support for handling "exit as a function call" (PHP 8.4) to the `WordPress.Security.EscapeOutput` sniff. [#2563]
16
+
- WordPress-Extra: the following sniffs have been added to the ruleset: `Universal.Attributes.BracketSpacing` and `Universal.Attributes.DisallowAttributeParentheses`. [#2646]
17
+
18
+
### Changed
19
+
- The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). [#2614]
20
+
- The minimum required `PHP_CodeSniffer` version to 3.13.4 (was 3.13.0). [#2630]
21
+
- The minimum required `PHPCSExtra` version to 1.5.0 (was 1.4.0). [#2646]
22
+
- The default value for `minimum_wp_version`, as used by a [number of sniffs detecting usage of deprecated WP features](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Customizable-sniff-properties#various-sniffs-set-the-minimum-supported-wp-version), has been updated to `6.6`. [#2656]
23
+
-`WordPress.DB.DirectDatabaseQuery` will now recognize more caching functions, like the `wp_cache_*_multiple()` functions as added in WordPress 6.0 and the `wp_cache_*_salted()` functions as added in WordPress 6.9. [#2654]
24
+
-`WordPress.NamingConventions.PrefixAllGlobals` has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. [#2652]
25
+
-`WordPress.WP.ClassNameCase` has been updated to recognize classes introduced in WP up to WP 6.9.0. [#2652]
26
+
-`WordPress.WP.DeprecatedFunctions` now detects functions deprecated in WordPress up to WP 6.9.0. [#2652]
27
+
-`WordPress.WP.DeprecatedParameters` now detects parameters deprecated in WordPress up to WP 6.9.0. [#2652]
28
+
-`WordPress.Security.ValidatedSanitizedInput`: improved the clarity of the error message for the `InputNotValidated` error code. Props [@rodrigoprimo]. [#2642]
29
+
- README: updated `testVersion` recommendations for PHPCompatibility. Props [@johnjago]. [#2471]
30
+
- Example ruleset: updated the `minimum_wp_version` and `testVersion` recommendations. [#2608]
31
+
- All sniffs are now also being tested against PHP 8.5 for consistent sniff results. [#2649]
32
+
- Various housekeeping, including documentation and test improvements. Includes contributions by [@rodrigoprimo].
33
+
34
+
### Deprecated
35
+
- The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). [#2616]
36
+
37
+
### Removed
38
+
-`wp_kses_allowed_html()` from the list of escaping functions. [#2566]
39
+
This affects the `WordPress.Security.EscapeOutput` sniff.
40
+
41
+
### Fixed
42
+
-`WordPress.DB.DirectDatabaseQuery`: false positive when function call to caching functions did not use the canonical function name. Props [@rodrigoprimo]. [#2613]
43
+
-`WordPress.DB.DirectDatabaseQuery`: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props [@rodrigoprimo]. [#2615]
44
+
-`WordPress.DB.PreparedSQL`: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props [@rodrigoprimo]. [#2570]
45
+
-`WordPress.DB.PreparedSQLPlaceholders`: improved handling of fully qualified calls to global functions. Props [@rodrigoprimo]. [#2569]
46
+
-`WordPress.Security.EscapeOutput`: expanded protection against false positives for `*::class`. Props [@rodrigoprimo]. [#2605]
47
+
-`WordPress.Security.NonceVerification`: false positive when nonce checking function call did not use the canonical function name. Props [@rodrigoprimo]. [#2572]
48
+
-`WordPress.WP.EnqueuedResourceParameters`: the sniff could cause a PHP 8.5 deprecation notice if the _code under scan_ contained one of the deprecated type casts. [#2573]
49
+
-`WordPress.WP.EnqueuedResourceParameters`: improved recognition of non-lowercase and fully qualified `true`/`false`/`null` when passed as the `$ver` parameter value. Props [@rodrigoprimo]. [#2630]
@@ -39,10 +102,7 @@ _No documentation available about unreleased changes as of yet._
39
102
- Various housekeeping, including documentation and test improvements. Includes contributions by [@rodrigoprimo] and [@szepeviktor].
40
103
- All sniffs are now also being tested against PHP 8.4 for consistent sniff results. [#2511]
41
104
42
-
### Deprecated
43
-
44
105
### Removed
45
-
46
106
- The `Generic.Functions.CallTimePassByReference` has been removed from the `WordPress-Extra` ruleset. Props [@rodrigoprimo]. [#2536]
47
107
This sniff was dated anyway and deprecated in PHP_CodeSniffer. If you need to check if your code is PHP cross-version compatible, use the [PHPCompatibility] standard instead.
48
108
@@ -79,7 +139,6 @@ _No documentation available about unreleased changes as of yet._
79
139
- The `sanitize_locale_name()` function to the list of known "sanitize & unslash" functions. Props [@Chouby]
80
140
81
141
### Changed
82
-
83
142
- The minimum required `PHP_CodeSniffer` version to 3.9.0 (was 3.7.2).
84
143
- The minimum required `PHPCSUtils` version to 1.0.10 (was 1.0.8).
85
144
- The minimum required `PHPCSExtra` version to 1.2.1 (was 1.1.0).
@@ -96,24 +155,20 @@ _No documentation available about unreleased changes as of yet._
96
155
- Various housekeeping, includes a contribution from [@rodrigoprimo].
97
156
98
157
### Fixed
99
-
100
158
-`WordPress.WP.PostsPerPage` could potentially result in an `Internal.Exception` when encountering a query string which doesn't include the value for `posts_per_page` in the query string. Props [@anomiex] for reporting.
101
159
102
160
103
161
## [3.0.1] - 2023-09-14
104
162
105
163
### Added
106
-
107
164
- In WordPressCS 3.0.0, the functionality of the `WordPress.Security.EscapeOutput` sniff was updated to report unescaped message parameters passed to exceptions created in `throw` statements. This specific violation now has a separate error code: `ExceptionNotEscaped`. This will allow users to ignore or exclude that specific error code. Props [@anomiex].
108
165
The error code(s) for other escaping issues flagged by the sniff remain unchanged.
109
166
110
167
### Changed
111
-
112
168
- Updated the CI workflow to test the example ruleset for issues.
113
169
- Funding files and updates in the Readme about funding the project.
114
170
115
171
### Fixed
116
-
117
172
- Fixed a sniff name in the `phpcs.xml.dist.sample` file (case-sensitive sniff name). Props [@dawidurbanski].
118
173
119
174
@@ -135,7 +190,6 @@ In all cases, please read the complete changelog carefully before you upgrade.
135
190
136
191
137
192
### Added
138
-
139
193
- Dependencies on the following packages: [PHPCSUtils](https://phpcsutils.com/), [PHPCSExtra](https://github.com/PHPCSStandards/PHPCSExtra) and the [Composer PHPCS plugin].
140
194
- A best effort has been made to add support for the new PHP syntaxes/features to all WordPressCS native sniffs and utility functions (or to verify/improve existing support).
141
195
While support in external sniffs used by WordPressCS has not be exhaustively verified, a lot of work has been done to try and add support for new PHP syntaxes to those as well.
@@ -222,7 +276,6 @@ More information is available in the [Upgrade Guide to WordPressCS 3.0.0 for Dev
222
276
223
277
224
278
### Changed
225
-
226
279
- As of this version, installation via Composer is the only supported manner of installation.
227
280
Installing in a different manner (git clone/PEAR/PHAR) is still possible, but no longer supported.
228
281
- The minimum required `PHP_CodeSniffer` version to 3.7.2 (was 3.3.1).
@@ -311,9 +364,7 @@ More information is available in the [Upgrade Guide to WordPressCS 3.0.0 for Dev
311
364
-`AbstractFunctionRestrictionsSniff`: The `whitelist` key in the `$groups` array property has been renamed to `allow`.
312
365
- The `WordPress.NamingConventions.ValidFunctionName` sniff no longer extends the similar PHPCS native `PEAR` sniff.
313
366
314
-
315
367
### Removed
316
-
317
368
- Support for the deprecated, old-style WordPressCS native ignore annotations. Use the PHPCS native selective ignore annotations instead.
318
369
- The following WordPressCS native sniffs have been removed:
319
370
- The `WordPress.Arrays.CommaAfterArrayItem` sniff (replaced by the `NormalizedArrays.Arrays.CommaAfterLast` and the `Universal.WhiteSpace.CommaSpacing` sniffs).
@@ -369,9 +420,7 @@ More information is available in the [Upgrade Guide to WordPressCS 3.0.0 for Dev
369
420
-`WordPressCS\WordPress\Sniff::valid_direct_scope()` method (use the `PHPCSUtils\Utils\Scopes::validDirectScope()` method instead).
370
421
- Unused dev-only files in the (now removed) `bin` directory.
371
422
372
-
373
423
### Fixed
374
-
375
424
- All sniffs which, in one way or another, check whether code represents a short list or a short array will now do so more accurately.
376
425
This fixes various false positives and false negatives.
377
426
- Sniffs supporting the `minimum_wp_version` property (previously `minimum_supported_version`) will no longer throw a "passing null to non-nullable" deprecation notice on PHP 8.1+.
@@ -693,7 +742,6 @@ If you are a maintainer of an external standard based on WordPressCS and any of
693
742
### Changes since 2.0.0-RC1
694
743
695
744
#### Fixed
696
-
697
745
-`WordPress-Extra`: Reverted back to including the `Squiz.WhiteSpace.LanguageConstructSpacing` sniff instead of the new `Generic.WhiteSpace.LanguageConstructSpacing` sniff as the new sniff is not (yet) available when the PEAR install of PHPCS is used.
0 commit comments