Skip to content

Bump wp-coding-standards/wpcs from 2.3.0 to 3.3.0 #1454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump wp-coding-standards/wpcs from 2.3.0 to 3.3.0 #1454

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 26, 2025

Bumps wp-coding-standards/wpcs from 2.3.0 to 3.3.0.

Release notes

Sourced from wp-coding-standards/wpcs's releases.

3.3.0

Added

  • Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props @​rodrigoprimo. #2559
  • Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
  • WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

  • The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
  • The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
  • The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
  • The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
  • WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
  • WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props @​rodrigoprimo. #2642
  • README: updated testVersion recommendations for PHPCompatibility. Props @​johnjago. #2471
  • Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
  • All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
  • Various housekeeping, including documentation and test improvements. Includes contributions by @​rodrigoprimo.

Deprecated

  • The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

  • wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

  • WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props @​rodrigoprimo. #2613
  • WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props @​rodrigoprimo. #2615
  • WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props @​rodrigoprimo. #2570
  • WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props @​rodrigoprimo. #2569
  • WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props @​rodrigoprimo. #2605
  • WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props @​rodrigoprimo. #2572
  • WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
  • WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props @​rodrigoprimo. #2630

3.2.0

Added

  • New WordPress.WP.GetMetaSingle sniff to the WordPress-Extra ruleset. Props @​rodrigoprimo! #2465 This sniff warns when get_*_meta() and get_metadata*() functions are used with the $meta_key/$key param, but without the $single parameter as this could lead to unexpected behavior due to the different return types.
  • WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.Strings.UnnecessaryHeredoc and Generic.WhiteSpace.HereNowdocIdentifierSpacing. #2534
  • The rest_sanitize_boolean() functions to the list of known "sanitizing" functions. Props @​westonruter. #2530
  • End-user documentation to the following existing sniffs: WordPress.DB.PreparedSQL (props @​jaymcp, #2454), WordPress.NamingConventions.ValidFunctionName (props @​richardkorthuis and @​rodrigoprimo, #2452, #2531), WordPress.NamingConventions.ValidVariableName (props @​richardkorthuis, #2457), WordPress.PHP.DontExtract (props @​aiolachiara #2456). This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

  • The minimum required PHP_CodeSniffer version to 3.13.0 (was 3.9.0). #2532

... (truncated)

Changelog

Sourced from wp-coding-standards/wpcs's changelog.

[3.3.0] - 2025-11-25

Added

  • Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props [@​rodrigoprimo]. #2559
  • Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
  • WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

  • The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
  • The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
  • The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
  • The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
  • WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
  • WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props [@​rodrigoprimo]. #2642
  • README: updated testVersion recommendations for PHPCompatibility. Props [@​johnjago]. #2471
  • Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
  • All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
  • Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo].

Deprecated

  • The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

  • wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

  • WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props [@​rodrigoprimo]. #2613
  • WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props [@​rodrigoprimo]. #2615
  • WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props [@​rodrigoprimo]. #2570
  • WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props [@​rodrigoprimo]. #2569
  • WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props [@​rodrigoprimo]. #2605
  • WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props [@​rodrigoprimo]. #2572
  • WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
  • WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props [@​rodrigoprimo]. #2630

#2471: WordPress/WordPress-Coding-Standards#2471 #2559: WordPress/WordPress-Coding-Standards#2559 #2563: WordPress/WordPress-Coding-Standards#2563 #2566: WordPress/WordPress-Coding-Standards#2566 #2569: WordPress/WordPress-Coding-Standards#2569 #2570: WordPress/WordPress-Coding-Standards#2570 #2572: WordPress/WordPress-Coding-Standards#2572 #2573: WordPress/WordPress-Coding-Standards#2573 #2605: WordPress/WordPress-Coding-Standards#2605 #2608: WordPress/WordPress-Coding-Standards#2608

... (truncated)

Commits
  • 7795ec6 Merge pull request #2658 from WordPress/develop
  • 5025d83 Merge pull request #2657 from WordPress/feature/changelog-3.3.0
  • c2b30bf Merge pull request #2656 from WordPress/feature/update-minimum-wp-version
  • 12e2936 Changelog for the release of WordPressCS 3.3.0
  • da2054d Merge pull request #2654 from WordPress/feature/directdatabasequery-update-fu...
  • 7629477 Merge pull request #2651 from WordPress/feature/use-phpcompatibility-10.0.0-a...
  • 7f36b9d Update the minimum_wp_version to WP 6.6
  • 76eeb61 Merge pull request #2653 from WordPress/feature/ghactions-improve-dont-run-on...
  • 3ef3f9d Merge pull request #2652 from WordPress/feature/update-for-wp-6.9
  • 2e47aad Merge pull request #2649 from WordPress/feature/ghactions-update-for-php-8.5-...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump wp-coding-standards/wpcs from 2.3.0 to 3.3.0
036c387 
Bumps [wp-coding-standards/wpcs](https://github.com/WordPress/WordPress-Coding-Standards) from 2.3.0 to 3.3.0.
- [Release notes](https://github.com/WordPress/WordPress-Coding-Standards/releases)
- [Changelog](https://github.com/WordPress/WordPress-Coding-Standards/blob/develop/CHANGELOG.md)
- [Commits](WordPress/WordPress-Coding-Standards@2.3.0...3.3.0)

---
updated-dependencies:
- dependency-name: wp-coding-standards/wpcs
  dependency-version: 3.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Nov 26, 2025
@coderabbitai
Copy link

coderabbitai bot commented Nov 26, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant