3.0.1

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "7.4"
+          php-version: "8.4"
           coverage: none
 
       - name: "Checkout code"
@@ -47,7 +47,7 @@ jobs:
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "7.4"
+          php-version: "8.4"
           coverage: none
 
       - name: "Install xmllint"
@@ -97,7 +97,7 @@ jobs:
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "7.4"
+          php-version: "8.4"
           coverage: none
 
       - name: "Checkout code"
@@ -119,7 +119,7 @@ jobs:
     runs-on: "ubuntu-latest"
     strategy:
       matrix:
-        php: [ '7.4', '8.0', '8.1', '8.2' ]
+        php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
 
     steps:
       - name: "Set up PHP"
@@ -139,6 +139,7 @@ jobs:
       - name: "Install Composer dependencies"
         uses: ramsey/composer-install@v2
         with:
+          composer-options: --ignore-platform-req=php+
           custom-cache-suffix: $(date -u "+%Y-%m")
 
       - name: Lint against parse errors
@@ -155,7 +156,7 @@ jobs:
       - name: "Set up PHP"
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "7.4"
+          php-version: "8.4"
           coverage: none
           tools: phpstan
 
@@ -171,43 +172,22 @@ jobs:
         run: phpstan analyse
 
   tests:
-    name: "PHP ${{ matrix.php }} with PHPCS ${{ matrix.phpcs_branch }}/WordPressCS ${{ matrix.wpcs_branch }}"
+    name: "Tests: PHP ${{ matrix.php }}"
     needs:
       - "composer_validate"
       - "ruleset_validate"
     runs-on: ubuntu-latest
-    continue-on-error: ${{ matrix.allowed_failure }}
     strategy:
       fail-fast: false
       matrix:
-        php: [ '7.4', '8.0', '8.1', '8.2' ]
-        phpcs_branch: [ 'lowest', 'dev-master' ]
-        wpcs_branch: [ '3.0.0', 'dev-develop' ]
-        allowed_failure: [ false ]
-        exclude:
-          # Only run low WordPressCS in combination with low PHPCS and high WordPressCS with high PHPCS.
-          - phpcs_branch: '3.7.2'
-            wpcs_branch: '3.0.0'
-          - phpcs_branch: 'dev-master'
-            wpcs_branch: 'dev-develop'
-        # Allow failure on non-released version of PHP.
-        include:
-          - php: '8.3'
-            phpcs_branch: 'dev-master'
-            wpcs_branch: 'dev-develop'
-            allowed_failure: true
+        php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
 
     steps:
       # On stable PHPCS versions, allow for PHP deprecation notices.
       # Unit tests don't need to fail on those for stable releases where those issues won't get fixed anymore.
       - name: "Setup ini config"
         id: set_ini
-        run: |
-          if [ "${{ matrix.phpcs_branch }}" != "dev-master" ]; then
-            echo 'PHP_INI=error_reporting=E_ALL & ~E_DEPRECATED, display_errors=On' >> $GITHUB_OUTPUT
-          else
-            echo 'PHP_INI=error_reporting=-1, display_errors=On' >> $GITHUB_OUTPUT
-          fi
+        run: echo 'PHP_INI=error_reporting=E_ALL & ~E_DEPRECATED, display_errors=On' >> $GITHUB_OUTPUT
 
       # Setup PHP versions, run checks
       - name: "Setup PHP"
@@ -220,11 +200,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v4
 
-      - name: "Set the minimum stability requirement for develop branch of WordPressCS"
-        if: ${{ matrix.wpcs_branch == 'dev-develop' }}
-        run: composer config minimum-stability dev
-
-      - name: "Install Composer dependencies (PHP < 8.0 )"
+      - name: "Install Composer dependencies (PHP < 8.0)"
         if: ${{ matrix.php < 8.0 }}
         uses: ramsey/composer-install@v2
         with:
@@ -237,25 +213,13 @@ jobs:
           composer-options: --ignore-platform-req=php+
           custom-cache-suffix: $(date -u "+%Y-%m")
 
-      - name: "Set the required PHPCS and WordPressCS versions"
-        if: ${{ matrix.phpcs_branch != 'lowest' }}
-        env:
-          PHPCS_BRANCH: ${{ matrix.phpcs_branch }}
-          WPCS_BRANCH: ${{ matrix.wpcs_branch }}
-        run: composer require squizlabs/php_codesniffer:${PHPCS_BRANCH} wp-coding-standards/wpcs:${WPCS_BRANCH} --no-update --no-scripts --no-interaction
-
-      - name: "Set PHPCS version (lowest)"
-        if: ${{ matrix.phpcs_version == 'lowest' }}
-        run: composer update squizlabs/php_codesniffer --prefer-lowest --ignore-platform-req=php+ --no-scripts --no-interaction
-
       - name: "Test the Eightshift ruleset"
         run: composer tests:checkcs
 
       # Test for fixer conflicts by running the auto-fixers of the complete WordPressCS over the test case files.
       # This is not an exhaustive test, but should give an early indication for typical fixer conflicts.
       # If only fixable errors are found, the exit code will be 1, which can be interpreted as success.
       - name: "Test for fixer conflicts (fixes expected)"
-        if: ${{ matrix.phpcs_branch == 'dev-master' }}
         continue-on-error: true
         run: |
           $(pwd)/vendor/bin/phpcbf -pq ./Eightshift/Tests/ --standard=Eightshift --extensions=inc --exclude=Generic.PHP.Syntax --report=summary

.gitignore

@@ -2,6 +2,7 @@ composer.phar
 /vendor
 phpcs-report.xml
 composer.lock
+.phpunit.result.cache
 
 # Mac OS custom attribute store and thumbnails
 *.DS_Store

CHANGELOG.md

@@ -10,6 +10,14 @@ The semantic versioning started from version 0.2.1.
 
 _No documentation available about unreleased changes yet._
 
+## [3.0.1](https://github.com/infinum/eightshift-coding-standards/compare/3.0.0...3.0.1)
+
+### Changed
+- Updated dependencies. PHPUnit had a security vulnerability that needed to be addressed. More recent versions of PHPUnit (v10+) introduced breaking changes that would require a major version bump. Priority of this release was to fix the security vulnerability.
+- Added exclude to deprecated ruleset since WordPressCS v3.3.0. Covered by PHPCompatibilityWP.
+- Renamed tests.
+- CI updates.
+
 ## [3.0.0](https://github.com/infinum/eightshift-coding-standards/compare/2.0.0...3.0.0)
 
 ### Changed
@@ -60,7 +68,7 @@ _No documentation available about unreleased changes yet._
 - Add ignoreComments property for the line length sniff
 
 ### Fixed
-- Fixed the edge case with overwriting libs classes. 
+- Fixed the edge case with overwriting libs classes.
 
 ### Changed
 - Code cleanup in EightShift ComponentsEscape sniff
@@ -76,22 +84,22 @@ _No documentation available about unreleased changes yet._
 
 ### Fixed
 - Fixed `Eightshift.Security.ComponentsEscape` sniff
-  - There was a case where the next string token caused issue because there was no guard clause 
+  - There was a case where the next string token caused issue because there was no guard clause
     to check if the string is actually a Components class or not.
 
 
 ## [1.4.0](https://github.com/infinum/eightshift-coding-standards/compare/1.3.0...1.4.0) - 2022-03-09
 
 ### Added
-- EightShift ruleset: add rules for use statements 
+- EightShift ruleset: add rules for use statements
   - Adds a new dependency on the Slevomat Coding Standard library.
   - Adds four sniffs from this coding standard to the ruleset:
       1. Forbidding unused `use` statements.
       2. Enforcing fully qualified global functions and constants.
       3. Enforcing import `use` statements for everything else.
   - Includes fixing up the EightShift coding standards code base for these new rules.
   - Ref: https://github.com/slevomat/coding-standard
-- Add new EightShift FunctionComment sniff 
+- Add new EightShift FunctionComment sniff
   - This sniff overloads the `Squiz.Commenting.FunctionComment` sniff which normally comes included via the `WordPress-Docs` ruleset and makes an allowance for the `__invoke` method in the CLI classes.
   - Includes:
     - Unit tests.
@@ -157,7 +165,7 @@ A huge thanks to Juliette Reinders Folmer (@jrfnl) for amazing help in fixing to
 
 ### Changed
 - Updated sniffs namespace
-  
+
 ### Fixed
 - Fix docblocks in the sniffs
 
@@ -179,9 +187,7 @@ We renamed the package from `infinum/coding-standards-wp` to `infinum/eightshift
 
 ### Official release of the Eightshift coding standards for WordPress projects
 
-This is the official release of the Eightshift coding standards for WordPress. It contains breaking changes, mostly in
- regard
- of the naming scheme. 
+This is the official release of the Eightshift coding standards for WordPress. It contains breaking changes, mostly in regard of the naming scheme.
 To equate the way we write our PHP and JS we opted to follow a modified PSR standards.
 What this means is that we will remove liberal spacing, add some PSR12 modifications regarding arguments placing in closures, change snake_case with CamelCase for classes (for autoload puropses) and some other minor changes that will be documented below.
 If you wish to use the old standards, be sure to modify your projects `composer.json` file with the appropriate version.

Eightshift/Sniffs/Security/HelpersEscapeSniff.php

@@ -111,8 +111,17 @@ public function process_token($stackPtr)
 				}
 			}
 
-			// Check for Helpers string token.
-			$helpersClassNamePtr = $phpcsFile->findNext(\T_STRING, ($stackPtr + 1), null, false, 'Helpers');
+			// Check for Helpers string token that is followed by the double colon (static method call).
+			// We need the class name "Helpers", not a namespace segment "Helpers".
+			$helpersClassNamePtr = false;
+			$searchPtr = $stackPtr;
+
+			while (($searchPtr = $phpcsFile->findNext(\T_STRING, ($searchPtr + 1), null, false, 'Helpers')) !== false) {
+				if (isset($tokens[$searchPtr + 1]) && $tokens[$searchPtr + 1]['code'] === \T_DOUBLE_COLON) {
+					$helpersClassNamePtr = $searchPtr;
+					break;
+				}
+			}
 
 			if (!$helpersClassNamePtr) {
 				// If there is no Helpers down the line, just run the regular sniff.
@@ -180,7 +189,10 @@ public function process_token($stackPtr)
 					$checkedClassName = \explode('\\', $className);
 					$firstNamespacePart = $checkedClassName[0];
 
-					if ($lastNamespacePart === $firstNamespacePart) {
+					// For partial imports, the className must contain multiple parts (e.g. Helpers\Helpers::method())
+					// A single-part className like Helpers::method() with a partial import to the namespace
+					// would resolve to the namespace, not the class.
+					if ($lastNamespacePart === $firstNamespacePart && \count($checkedClassName) > 1) {
 						// Correctly used class name.
 						$methodNamePtr = $phpcsFile->findNext(
 							\T_STRING,

Eightshift/Tests/Security/ComponentsEscapeUnitTest.php → Eightshift/Tests/Security/HelpersEscapeUnitTest.php

@@ -35,18 +35,25 @@ public function getErrorList(string $testFile = ''): array
 		switch ($testFile) {
 			case 'HelpersEscapeUnitTest.1.inc':
 				return [
-					21 => 1,
-					23 => 1,
+					21 => 4,
+					23 => 4,
 				];
 			case 'HelpersEscapeUnitTest.2.inc':
 				return [
 					3 => 1,
+					5 => 2,
+					6 => 1,
 					10 => 1,
-					17 => 1
+					12 => 2,
+					13 => 1,
+					17 => 2,
+					18 => 1,
 				];
 			case 'HelpersEscapeUnitTest.3.inc':
 				return [
 					12 => 1,
+					14 => 2,
+					15 => 1,
 					19 => 1,
 					24 => 1,
 				];
@@ -62,6 +69,8 @@ public function getErrorList(string $testFile = ''): array
 			case 'HelpersEscapeUnitTest.6.inc':
 				return [
 					5 => 1,
+					7 => 2,
+					8 => 1,
 				];
 			default:
 				return [];

Eightshift/ruleset.xml

@@ -147,6 +147,8 @@
 	<!-- PHP sniffs are useful. Except Yoda conditions -->
 	<rule ref="WordPress.PHP">
 		<exclude name="WordPress.PHP.YodaConditions.NotYoda"/>
+		<!-- Deprecated since WordPressCS v3.3.0. Covered by PHPCompatibilityWP. -->
+		<exclude name="WordPress.PHP.POSIXFunctions"/>
 	</rule>
 
 	<!-- Exclude the WP escape output sniff, because we are overloading it. -->

Tests/bootstrap.php

@@ -16,6 +16,8 @@
  * @license https://opensource.org/licenses/MIT MIT
  */
 
+use PHP_CodeSniffer\Util\Standards;
+
 if (!defined('PHP_CODESNIFFER_IN_TESTS')) {
 	define('PHP_CODESNIFFER_IN_TESTS', true);
 }
@@ -148,7 +150,7 @@
 	'Eightshift' => true,
 ];
 
-$allStandards = PHP_CodeSniffer\Util\Standards::getInstalledStandards();
+$allStandards = Standards::getInstalledStandards();
 $allStandards[] = 'Generic';
 
 $standardsToIgnore = [];

composer.json

@@ -23,14 +23,14 @@
 	],
 	"require": {
 		"php": ">=7.4",
-		"phpcompatibility/phpcompatibility-wp": "^2.1.4",
-		"wp-coding-standards/wpcs": "dev-hotifx/escape-output-sniff",
-		"slevomat/coding-standard": "^8.13.0"
+		"phpcompatibility/phpcompatibility-wp": "^2.1.8",
+		"wp-coding-standards/wpcs": "3.3.0",
+		"slevomat/coding-standard": "^8.22.1"
 	},
 	"require-dev": {
-		"phpunit/phpunit": "^7.0",
-		"phpcsstandards/phpcsdevtools": "^1.2.0",
-		"php-parallel-lint/php-parallel-lint": "^1.3.2",
+		"phpunit/phpunit": "^9.6",
+		"phpcsstandards/phpcsdevtools": "^1.2.3",
+		"php-parallel-lint/php-parallel-lint": "^1.4.0",
 		"php-parallel-lint/php-console-highlighter": "^1.0.0",
 		"roave/security-advisories": "dev-master"
 	},