Skip to content

v1.1.0 - Security and reliability hardening

Latest
Latest

Choose a tag to compare

View all tags
@gl0bal01 gl0bal01 released this 18 May 07:10
v1.1.0
5d711db

Highlights

Security + reliability hardening pass, followed by a simplify review.

Critical fixes

  • restore.sh rewritten with case pattern — prior unterminated quote crashed every gzip restore.
  • health-check.sh colors emit real ANSI via printf — prior Unicode glyph rendered as garbage.
  • .env.example key-based sed replacement — prior lowercase pattern never matched DB_PASSWORD=, leaking real generated passwords into the example file.

Security

  • Removed PMA_ARBITRARY: 1 from phpMyAdmin to shrink attack surface.
  • Permissions: 0775 dirs / 0664 files, backups/ 0700 (was 0777, exposing dumps to any host user).
  • PROJECT_NAME validated against [A-Za-z0-9_-]+.
  • openssl added to dependency check (was used without verification).
  • make install no longer uses --force and refuses to overwrite an existing wp-config.php.

Reliability and UX

  • wpcli image now follows PHP_VERSION (was pinned to cli-php8.4).
  • make clean FORCE=1 for non-interactive runs.
  • mailpit now starts by default (dev profile removed; was never activated).
  • make install drops redundant wait-db dep (up already waits).
  • trap EXIT/INT/TERM removes partial project dir on aborted setup.
  • php.ini no longer hardcodes date.timezone; defers to TZ env var.
  • Generated docker-compose.yml validated before setup exits.

Housekeeping

  • .gitignore: plugins/* + !plugins/.gitkeep pattern (so .gitkeep survives), backups/, generated helper scripts, *.sql.gz.tmp.
  • Makefile .PHONY split across lines; dropped undefined prune-backups target.
  • chmod +x consolidated (was duplicated 4×).
  • README PHP badge 8.28.4 to match default.
  • CONTRIBUTING.md added (badge previously linked to missing file).

Simplify pass (follow-up)

  • Color helpers in setup.sh now use the same printf '%s[31m%s%s[0m\n' style as health-check.sh (was inconsistent).
  • Dropped redundant SETUP_COMPLETE flag; .env existence is the single source of truth for the cleanup trap.
  • Final-block permissions now only touch top-level dirs; recursive perms on the WP core tree are deferred to make fix-permissions, avoiding a multi-thousand-file walk on every setup run.
  • fix-permissions collapses two find traversals into one via -or branching (halves stat syscalls).
  • docker compose config validation block flattened from a 3-level nested if to a guard + dispatch + single assertion.

Behavior changes worth noting

  • make install on an existing project now errors instead of silently overwriting wp-config.php. Run make clean first to reinstall.
  • make clean in CI requires FORCE=1 (was hanging on read -p).
  • mailpit now runs by default; ports 1025/8025 are bound on make up.

Full Changelog: v1.0.0...v1.1.0

Assets 2
Loading