Skip to content

chore: [SITE-5205] PHP 8.5 changelog, test fix, contributor update#365

Merged
mehta-asim merged 13 commits into
mainfrom
SITE-5205-changelog-php85
Jun 22, 2026
Merged

chore: [SITE-5205] PHP 8.5 changelog, test fix, contributor update#365
mehta-asim merged 13 commits into
mainfrom
SITE-5205-changelog-php85

Conversation

@mehta-asim

@mehta-asim mehta-asim commented May 20, 2026

Copy link
Copy Markdown
Member

Summary

  • Add PHP 8.5 compatibility changelog entry to readme.txt and README.md
  • Scope-ignore the dev-only Composer audit advisories so composer audit passes without disabling audit globally
  • Ignore the dev-only guzzlehttp/psr7 advisories that blocked the PHP 7.4 composer update re-resolve
  • Add --dev to the PHP 7.4 pantheon-wp-coding-standards require so it stays in require-dev
  • Update pantheon-wordpress-upstream-tests to fix the behat cache-clear test (.updated changed to .notice-success upstream)
  • Point the Behat workflow at the rotated SSH_PRIVATE_KEY secret (was SITE_OWNER_SSH_PRIVATE_KEY)
  • Add metasim to contributors list in both README.md and readme.txt

Context

SITE-5205

PHP 8.5 was added to the test matrix in PR #362. This PR adds the corresponding changelog entry per the WP plugin release convention, plus the CI dependency fixes needed to get the matrix green.

Composer audit was blocking on advisories pulled transitively by the behat/phpunit dev test stack (symfony/dom-crawler, symfony/polyfill-intl-idn, symfony/yaml, phpunit/phpunit). The plugin ships zero production dependencies (require is empty), so none of these reach runtime. Rather than the heavier dependency replacement tracked in SITE-5774, they are suppressed via scoped config.audit.ignore entries, each with a per-advisory justification. This replaces the earlier blunt audit.block-insecure: false workaround (reverted), so real production advisories would still fail audit.

Separately, the PHP 7.4 test job downgrades pantheon-wp-coding-standards to ^2 and runs composer update. Composer 2.9+ blocks advisory-affected versions during update/require (distinct from composer audit), and the behat chain (fabpot/goutte -> guzzlehttp/guzzle 6 -> guzzlehttp/psr7 ^1.9) could not resolve because psr7 <2.10.2 carries advisories and cannot be upgraded (guzzle 6 pins ^1.9). The three guzzlehttp/psr7 advisories are added to the same ignore list. Before adding them the locked set was re-audited (composer audit --locked): all six pre-existing ignores still fire and were kept verbatim.

Ignored advisories (all dev-only, no prod exposure):

Advisory Package CVE Severity
PKSA-5r1g-c7b7-y1zg symfony/dom-crawler CVE-2026-45071 low
PKSA-dwsq-ppd2-mb1x symfony/polyfill-intl-idn CVE-2026-46644 low
PKSA-v5yj-8nmz-sk2q symfony/yaml CVE-2026-45304 low
PKSA-ft77-7h5f-p3r6 symfony/yaml CVE-2026-45305 low
PKSA-b14r-zh1d-vdrc symfony/yaml CVE-2026-45133 low
PKSA-z3gr-8qht-p93v phpunit/phpunit CVE-2026-24765 high (dev test runner)
PKSA-jj5t-2zs1-dcfm guzzlehttp/psr7 CVE-2026-48998 medium
PKSA-gm5x-j3mz-71n9 guzzlehttp/psr7 CVE-2026-49214 medium
PKSA-hn62-zkx4-1y5q guzzlehttp/psr7 psr7 <2.10.2 medium

The remaining abandoned-package notices (behat/mink-goutte-driver, etc.) are a separate concern tracked in SITE-5774, not vulnerabilities.

The deprecated pantheon-systems/action-wporg-validator (WP.org Plugin Validation job) is broken upstream and is out of scope here; its migration to wordpress/plugin-check-action is tracked separately.

Test plan

  • Lint and unit tests pass (PHP 7.4–8.5 matrix)
  • PHP 7.4 composer update resolves (psr7 advisories no longer block)
  • composer audit clears all vulnerability advisories locally (verified; abandoned-package notices remain, tracked in SITE-5774)
  • Verify changelog format in readme.txt and README.md
  • Behat against a live Pantheon site (depends on the rotated SSH_PRIVATE_KEY / TERMINUS_TOKEN secrets being present on the repo)

Add PHP 8.5 compatibility note to changelog in both readme.txt
and README.md under the 1.4.6-dev heading.
@mehta-asim mehta-asim requested a review from a team as a code owner May 20, 2026 14:39
@codacy-production

codacy-production Bot commented May 20, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Change cleanup step from always() to success() so the multidev
environment is preserved when tests fail, allowing debugging.
Update vendor test package to pick up fix for behat cache clear
test (changed .updated to .notice-success selector).
@github-actions

Copy link
Copy Markdown
Contributor

Composer Changes

Dev Packages Operation Base Target
pantheon-systems/pantheon-wordpress-upstream-tests Changed dev-master 1fa393d dev-master 1cc8751

Add metasim to contributors in both README.md and readme.txt.
@mehta-asim mehta-asim changed the title chore: [SITE-5205] Add PHP 8.5 changelog entry chore: [SITE-5205] PHP 8.5 changelog, CI improvements, contributor update May 22, 2026
@mehta-asim mehta-asim changed the title chore: [SITE-5205] PHP 8.5 changelog, CI improvements, contributor update chore: [SITE-5205] PHP 8.5 changelog, test fix, contributor update May 22, 2026
Comment thread composer.json Outdated
"pantheon-systems/wpunit-helpers": true
},
"audit": {
"block-insecure": false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we doing this ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because the tests were failing, this is what we decided to do
https://getpantheon.atlassian.net/browse/SITE-5205?focusedCommentId=350154

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its worth including in the p.r description

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

tundeafolabi
tundeafolabi previously approved these changes May 22, 2026

@tundeafolabi tundeafolabi left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

…g-standards in dev

- Add scoped audit.ignore for PKSA-5r1g-c7b7-y1zg (symfony/dom-crawler via behat test deps); dev-only, no prod exposure
- Add --dev to PHP 7.4 coding-standards require so it stays in require-dev
The initial audit.ignore only covered symfony/dom-crawler, leaving 5 advisories
active so composer audit still failed. Plugin has zero production dependencies;
all flagged packages are transitive of the behat/phpunit dev test stack with no
runtime exposure. Ignore the remaining advisories with per-ID justification.

- PKSA-dwsq-ppd2-mb1x  symfony/polyfill-intl-idn (CVE-2026-46644, low)
- PKSA-v5yj-8nmz-sk2q  symfony/yaml              (CVE-2026-45304, low)
- PKSA-ft77-7h5f-p3r6  symfony/yaml              (CVE-2026-45305, low)
- PKSA-b14r-zh1d-vdrc  symfony/yaml              (CVE-2026-45133, low)
- PKSA-z3gr-8qht-p93v  phpunit/phpunit           (CVE-2026-24765, high; dev test runner)
CI fixture credentials were rotated via the secret-manager provisioning
script, which stores the bot's SSH private key under the secret name
SSH_PRIVATE_KEY. Update the Behat workflow's ssh-agent step to reference
the new name (was SITE_OWNER_SSH_PRIVATE_KEY). The TERMINUS_TOKEN secret
already matched the provisioned name and needs no change.
v1.0.0 (and all v1.1.x) run an internal `composer install` against the
action's own bundled deps, whose composer.json never defined allow-plugins.
Modern composer on the runner refuses to run the bundled phpcs-installer
plugin, failing the WP.org Plugin Validation step with an allow-plugins
error unrelated to this repo. v2.0.0 was rearchitected to wrap
wordpress/plugin-check-action and no longer runs that composer install.
…4 resolve

Composer 2.9+ blocks advisory-affected package versions during update/
require. The PHP 7.4 test job downgrades pantheon-wp-coding-standards to
^2 and runs `composer update`, which re-resolves the behat upstream-test
chain (fabpot/goutte -> guzzle 6 -> guzzlehttp/psr7 ^1.9). psr7 <2.10.2
carries advisories and cannot be upgraded (guzzle 6 pins ^1.9), so the
resolve failed with "could not be resolved to an installable set".

Re-audited the locked set (composer audit --locked): all 6 pre-existing
ignores still fire and are kept; added the 3 guzzlehttp/psr7 advisories
(CVE-2026-48998, CVE-2026-49214, plus PKSA-hn62-zkx4-1y5q). All are
dev-only behat test transitive deps with no production exposure; this
plugin ships no runtime composer dependencies.
@mehta-asim

Copy link
Copy Markdown
Member Author

The WP.org Plugin Validation check is red here, but it's out of scope for this PR and not caused by these changes. action-wporg-validator is deprecated and broken on modern composer, and its replacement is broken upstream too: plugin-check 2.0.0 (served by latest-stable) removed the cli.php that plugin-check-action loads via a hardcoded --require path, so the check is red org-wide (wp-redis included). It's not a required check.

Migration off the deprecated action (mirroring wp-redis SITE-5390) is handled separately in #370.

@rkunjappan rkunjappan self-requested a review June 18, 2026 19:53
@mehta-asim mehta-asim merged commit aa74f60 into main Jun 22, 2026
19 of 20 checks passed
@mehta-asim mehta-asim deleted the SITE-5205-changelog-php85 branch June 22, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants