From 045ee220da91963ea030af640c3306ac3dd718ae Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Wed, 20 May 2026 10:39:17 -0400 Subject: [PATCH 01/13] chore(SITE-5205): add PHP 8.5 changelog entry Add PHP 8.5 compatibility note to changelog in both readme.txt and README.md under the 1.4.6-dev heading. --- README.md | 1 + readme.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index a609caa..e6f4e83 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ Adds a WP-CLI command to add an index to the sessions table if one does not exis ## Changelog ## ### 1.4.6-dev ### +* Compatibility: Supports PHP 8.5 ### 1.4.5 (December 2, 2025) ### * Compatibility: Supports Wordpress 6.9 diff --git a/readme.txt b/readme.txt index 1ce2b7b..4e4fcf3 100644 --- a/readme.txt +++ b/readme.txt @@ -99,6 +99,7 @@ Adds a WP-CLI command to add an index to the sessions table if one does not exis == Changelog == = 1.4.6-dev = +* Compatibility: Supports PHP 8.5 = 1.4.5 (December 2025) = * Compatibility: Supports Wordpress 6.9 From a1479b23cade09cd0638c2f1b2668d9415d2b2c3 Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Thu, 21 May 2026 14:27:39 -0400 Subject: [PATCH 02/13] fix(ci): disable Composer audit blocking for insecure packages --- composer.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/composer.json b/composer.json index 7eb2c67..017016d 100644 --- a/composer.json +++ b/composer.json @@ -45,6 +45,9 @@ "dealerdirect/phpcodesniffer-composer-installer": true, "pantheon-systems/wpunit-helpers": true }, + "audit": { + "block-insecure": false + }, "sort-packages": true } } From 1d453eb76513041864406275349fa9584043c9e4 Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 22 May 2026 09:40:39 -0400 Subject: [PATCH 03/13] ci: preserve test environment on behat failure Change cleanup step from always() to success() so the multidev environment is preserved when tests fail, allowing debugging. --- .github/workflows/test-behat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-behat.yml b/.github/workflows/test-behat.yml index 342c981..e64d21b 100644 --- a/.github/workflows/test-behat.yml +++ b/.github/workflows/test-behat.yml @@ -100,6 +100,6 @@ jobs: - name: Behat tests (strict) run: ./bin/behat-test.sh --strict - - name: Cleanup (always) - if: always() + - name: Cleanup (on success only) + if: success() run: ./bin/behat-cleanup.sh From 6f676509a75e353b7d6c90960461a43d780ba119 Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 22 May 2026 09:58:58 -0400 Subject: [PATCH 04/13] chore: update pantheon-wordpress-upstream-tests Update vendor test package to pick up fix for behat cache clear test (changed .updated to .notice-success selector). --- composer.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/composer.lock b/composer.lock index 7679f91..4396a34 100644 --- a/composer.lock +++ b/composer.lock @@ -1218,12 +1218,12 @@ "source": { "type": "git", "url": "https://github.com/pantheon-systems/pantheon-wordpress-upstream-tests.git", - "reference": "1fa393d4d65a888cbd5f11a405827e9695fb0634" + "reference": "1cc875102a3b080e042a3f749d63bd3c87fc1b3f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pantheon-systems/pantheon-wordpress-upstream-tests/zipball/1fa393d4d65a888cbd5f11a405827e9695fb0634", - "reference": "1fa393d4d65a888cbd5f11a405827e9695fb0634", + "url": "https://api.github.com/repos/pantheon-systems/pantheon-wordpress-upstream-tests/zipball/1cc875102a3b080e042a3f749d63bd3c87fc1b3f", + "reference": "1cc875102a3b080e042a3f749d63bd3c87fc1b3f", "shasum": "" }, "require": { @@ -1249,7 +1249,7 @@ "issues": "https://github.com/pantheon-systems/pantheon-wordpress-upstream-tests/issues", "source": "https://github.com/pantheon-systems/pantheon-wordpress-upstream-tests/tree/master" }, - "time": "2024-09-23T20:47:25+00:00" + "time": "2026-05-11T15:07:42+00:00" }, { "name": "pantheon-systems/pantheon-wp-coding-standards", @@ -5813,5 +5813,5 @@ "prefer-lowest": false, "platform": {}, "platform-dev": {}, - "plugin-api-version": "2.6.0" + "plugin-api-version": "2.9.0" } From acb8735528b9d059bfced3f82f3e6903dac2e08e Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 22 May 2026 10:06:28 -0400 Subject: [PATCH 05/13] chore: add metasim to contributors list Add metasim to contributors in both README.md and readme.txt. --- README.md | 2 +- readme.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e6f4e83..d3964b6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Native PHP Sessions # -**Contributors:** [getpantheon](https://profiles.wordpress.org/getpantheon), [outlandish josh](https://profiles.wordpress.org/outlandish-josh), [mpvanwinkle77](https://profiles.wordpress.org/mpvanwinkle77), [danielbachhuber](https://profiles.wordpress.org/danielbachhuber), [andrew.taylor](https://profiles.wordpress.org/andrew.taylor), [jazzs3quence](https://profiles.wordpress.org/jazzs3quence), [stovak](https://profiles.wordpress.org/stovak), [jspellman](https://profiles.wordpress.org/jspellman/), [rwagner00](https://profiles.wordpress.org/rwagner00/), [anaispantheor](https://profiles.wordpress.org/anaispantheor) +**Contributors:** [getpantheon](https://profiles.wordpress.org/getpantheon), [outlandish josh](https://profiles.wordpress.org/outlandish-josh), [mpvanwinkle77](https://profiles.wordpress.org/mpvanwinkle77), [danielbachhuber](https://profiles.wordpress.org/danielbachhuber), [andrew.taylor](https://profiles.wordpress.org/andrew.taylor), [jazzs3quence](https://profiles.wordpress.org/jazzs3quence), [stovak](https://profiles.wordpress.org/stovak), [jspellman](https://profiles.wordpress.org/jspellman/), [rwagner00](https://profiles.wordpress.org/rwagner00/), [anaispantheor](https://profiles.wordpress.org/anaispantheor), [metasim](https://profiles.wordpress.org/metasim/) **Tags:** comments, sessions **Requires at least:** 5.3 **Tested up to:** 6.9 diff --git a/readme.txt b/readme.txt index 4e4fcf3..3dc3a41 100644 --- a/readme.txt +++ b/readme.txt @@ -1,5 +1,5 @@ === Native PHP Sessions === -Contributors: getpantheon, outlandish josh, mpvanwinkle77, danielbachhuber, andrew.taylor, jazzs3quence, stovak, jspellman, rwagner00 +Contributors: getpantheon, outlandish josh, mpvanwinkle77, danielbachhuber, andrew.taylor, jazzs3quence, stovak, jspellman, rwagner00, metasim Tags: comments, sessions Requires at least: 5.3 Tested up to: 6.9 From f031c520fee5fd2071fe6fa10144e86f1b268a30 Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 22 May 2026 10:09:46 -0400 Subject: [PATCH 06/13] Revert "ci: preserve test environment on behat failure" This reverts commit 1d453eb76513041864406275349fa9584043c9e4. --- .github/workflows/test-behat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-behat.yml b/.github/workflows/test-behat.yml index e64d21b..342c981 100644 --- a/.github/workflows/test-behat.yml +++ b/.github/workflows/test-behat.yml @@ -100,6 +100,6 @@ jobs: - name: Behat tests (strict) run: ./bin/behat-test.sh --strict - - name: Cleanup (on success only) - if: success() + - name: Cleanup (always) + if: always() run: ./bin/behat-cleanup.sh From 42a25a843dabce51f93cbd38bf8e24b58f580ee5 Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Tue, 26 May 2026 10:15:37 -0400 Subject: [PATCH 07/13] Revert "fix(ci): disable Composer audit blocking for insecure packages" This reverts commit a1479b23cade09cd0638c2f1b2668d9415d2b2c3. --- composer.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/composer.json b/composer.json index 017016d..7eb2c67 100644 --- a/composer.json +++ b/composer.json @@ -45,9 +45,6 @@ "dealerdirect/phpcodesniffer-composer-installer": true, "pantheon-systems/wpunit-helpers": true }, - "audit": { - "block-insecure": false - }, "sort-packages": true } } From 199b620aec1c8a1c7c1ed31e4885af58fb7a533c Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Tue, 2 Jun 2026 10:56:17 -0400 Subject: [PATCH 08/13] fix(ci): [SITE-5205] ignore dev-only dom-crawler advisory, keep coding-standards in dev - Add scoped audit.ignore for PKSA-5r1g-c7b7-y1zg (symfony/dom-crawler via behat test deps); dev-only, no prod exposure - Add --dev to PHP 7.4 coding-standards require so it stays in require-dev --- .github/workflows/lint-test.yml | 2 +- composer.json | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 82f0126..bf1880b 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -99,7 +99,7 @@ jobs: - name: Install dependencies run: | if [ ${{ matrix.php_version }} = "7.4" ]; then - composer require pantheon-systems/pantheon-wp-coding-standards:^2 --no-update + composer require pantheon-systems/pantheon-wp-coding-standards:^2 --dev --no-update composer update fi composer install diff --git a/composer.json b/composer.json index 7eb2c67..b076cbe 100644 --- a/composer.json +++ b/composer.json @@ -45,6 +45,11 @@ "dealerdirect/phpcodesniffer-composer-installer": true, "pantheon-systems/wpunit-helpers": true }, + "audit": { + "ignore": { + "PKSA-5r1g-c7b7-y1zg": "Dev-only: symfony/dom-crawler via behat test deps (pantheon-wordpress-upstream-tests). No prod exposure. SITE-5205." + } + }, "sort-packages": true } } From ebd0051e362a80af476df01073f69f0f23c741de Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Thu, 4 Jun 2026 10:55:41 -0400 Subject: [PATCH 09/13] fix(ci): [SITE-5205] scope-ignore remaining dev-only audit advisories The initial audit.ignore only covered symfony/dom-crawler, leaving 5 advisories active so composer audit still failed. Plugin has zero production dependencies; all flagged packages are transitive of the behat/phpunit dev test stack with no runtime exposure. Ignore the remaining advisories with per-ID justification. - PKSA-dwsq-ppd2-mb1x symfony/polyfill-intl-idn (CVE-2026-46644, low) - PKSA-v5yj-8nmz-sk2q symfony/yaml (CVE-2026-45304, low) - PKSA-ft77-7h5f-p3r6 symfony/yaml (CVE-2026-45305, low) - PKSA-b14r-zh1d-vdrc symfony/yaml (CVE-2026-45133, low) - PKSA-z3gr-8qht-p93v phpunit/phpunit (CVE-2026-24765, high; dev test runner) --- composer.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index b076cbe..e4cfd97 100644 --- a/composer.json +++ b/composer.json @@ -47,7 +47,12 @@ }, "audit": { "ignore": { - "PKSA-5r1g-c7b7-y1zg": "Dev-only: symfony/dom-crawler via behat test deps (pantheon-wordpress-upstream-tests). No prod exposure. SITE-5205." + "PKSA-5r1g-c7b7-y1zg": "Dev-only: symfony/dom-crawler via behat test deps (pantheon-wordpress-upstream-tests). No prod exposure. SITE-5205.", + "PKSA-dwsq-ppd2-mb1x": "Dev-only: symfony/polyfill-intl-idn via guzzle (behat test deps). No prod exposure. SITE-5205.", + "PKSA-v5yj-8nmz-sk2q": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", + "PKSA-ft77-7h5f-p3r6": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", + "PKSA-b14r-zh1d-vdrc": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", + "PKSA-z3gr-8qht-p93v": "Dev-only: phpunit/phpunit test runner. No prod exposure. SITE-5205." } }, "sort-packages": true From ebfaf5b889df66cbf50c529c4b5888aa5f0031de Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 12 Jun 2026 10:41:16 -0400 Subject: [PATCH 10/13] ci(test-behat): use rotated SSH_PRIVATE_KEY secret for fixture site CI fixture credentials were rotated via the secret-manager provisioning script, which stores the bot's SSH private key under the secret name SSH_PRIVATE_KEY. Update the Behat workflow's ssh-agent step to reference the new name (was SITE_OWNER_SSH_PRIVATE_KEY). The TERMINUS_TOKEN secret already matched the provisioned name and needs no change. --- .github/workflows/test-behat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-behat.yml b/.github/workflows/test-behat.yml index 342c981..568ca6c 100644 --- a/.github/workflows/test-behat.yml +++ b/.github/workflows/test-behat.yml @@ -77,7 +77,7 @@ jobs: - name: Install SSH key uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1 with: - ssh-private-key: ${{ secrets.SITE_OWNER_SSH_PRIVATE_KEY }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - name: Configure Composer GitHub OAuth (optional) if: env.GITHUB_TOKEN != '' From 0f4c2ebb07791576e06371b5436f313c876351ad Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 12 Jun 2026 10:57:42 -0400 Subject: [PATCH 11/13] ci(lint-test): bump action-wporg-validator to v2.0.0 v1.0.0 (and all v1.1.x) run an internal `composer install` against the action's own bundled deps, whose composer.json never defined allow-plugins. Modern composer on the runner refuses to run the bundled phpcs-installer plugin, failing the WP.org Plugin Validation step with an allow-plugins error unrelated to this repo. v2.0.0 was rearchitected to wrap wordpress/plugin-check-action and no longer runs that composer install. --- .github/workflows/lint-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index bf1880b..6a04ea9 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: pantheon-systems/action-wporg-validator@4df6286ef133ca95bbc955728fc649322e433380 # 1.0.0 2023-06-09T19:59:09Z + - uses: pantheon-systems/action-wporg-validator@a4e56c641359547609152a5b3702f77625282ff2 # v2.0.0 2025-08-08T18:24:26Z with: type: 'plugin' test: From 7715ff9e009e0fd96548a29dc054307395b0e0cb Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 12 Jun 2026 11:07:39 -0400 Subject: [PATCH 12/13] fix(deps): ignore dev-only guzzlehttp/psr7 advisories blocking PHP 7.4 resolve Composer 2.9+ blocks advisory-affected package versions during update/ require. The PHP 7.4 test job downgrades pantheon-wp-coding-standards to ^2 and runs `composer update`, which re-resolves the behat upstream-test chain (fabpot/goutte -> guzzle 6 -> guzzlehttp/psr7 ^1.9). psr7 <2.10.2 carries advisories and cannot be upgraded (guzzle 6 pins ^1.9), so the resolve failed with "could not be resolved to an installable set". Re-audited the locked set (composer audit --locked): all 6 pre-existing ignores still fire and are kept; added the 3 guzzlehttp/psr7 advisories (CVE-2026-48998, CVE-2026-49214, plus PKSA-hn62-zkx4-1y5q). All are dev-only behat test transitive deps with no production exposure; this plugin ships no runtime composer dependencies. --- composer.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index e4cfd97..8c1a1ce 100644 --- a/composer.json +++ b/composer.json @@ -52,7 +52,10 @@ "PKSA-v5yj-8nmz-sk2q": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", "PKSA-ft77-7h5f-p3r6": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", "PKSA-b14r-zh1d-vdrc": "Dev-only: symfony/yaml via behat test deps. No prod exposure. SITE-5205.", - "PKSA-z3gr-8qht-p93v": "Dev-only: phpunit/phpunit test runner. No prod exposure. SITE-5205." + "PKSA-z3gr-8qht-p93v": "Dev-only: phpunit/phpunit test runner. No prod exposure. SITE-5205.", + "PKSA-jj5t-2zs1-dcfm": "Dev-only: guzzlehttp/psr7 (CVE-2026-48998) via fabpot/goutte behat upstream tests. Cannot upgrade (guzzle 6 pins psr7 ^1.9). No prod exposure. SITE-5205.", + "PKSA-gm5x-j3mz-71n9": "Dev-only: guzzlehttp/psr7 (CVE-2026-49214) via fabpot/goutte behat upstream tests. Cannot upgrade (guzzle 6 pins psr7 ^1.9). No prod exposure. SITE-5205.", + "PKSA-hn62-zkx4-1y5q": "Dev-only: guzzlehttp/psr7 via fabpot/goutte behat upstream tests. Cannot upgrade (guzzle 6 pins psr7 ^1.9). No prod exposure. SITE-5205." } }, "sort-packages": true From f5766ded257000c54558f7e2ca4903aacdf1a40c Mon Sep 17 00:00:00 2001 From: Asim Mehta Date: Fri, 12 Jun 2026 11:22:10 -0400 Subject: [PATCH 13/13] Revert "ci(lint-test): bump action-wporg-validator to v2.0.0" This reverts commit 0f4c2ebb07791576e06371b5436f313c876351ad. --- .github/workflows/lint-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 6a04ea9..bf1880b 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: pantheon-systems/action-wporg-validator@a4e56c641359547609152a5b3702f77625282ff2 # v2.0.0 2025-08-08T18:24:26Z + - uses: pantheon-systems/action-wporg-validator@4df6286ef133ca95bbc955728fc649322e433380 # 1.0.0 2023-06-09T19:59:09Z with: type: 'plugin' test: