Update dependency wp-coding-standards/wpcs to v3

[specmatic-builder]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wp-coding-standards/wpcs	^2.2 -> ^3.0
wp-coding-standards/wpcs	2.2.1 -> 3.2.0
wp-coding-standards/wpcs	^2.3 -> ^3.0

---

Release Notes

WordPress/WordPress-Coding-Standards (wp-coding-standards/wpcs)

v3.2.0

Compare Source

Added

• New WordPress.WP.GetMetaSingle sniff to the WordPress-Extra ruleset. Props [@​rodrigoprimo]! #​2465
  This sniff warns when get_*_meta() and get_metadata*() functions are used with the $meta_key/$key param, but without the $single parameter as this could lead to unexpected behavior due to the different return types.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.Strings.UnnecessaryHeredoc and Generic.WhiteSpace.HereNowdocIdentifierSpacing. #​2534
• The rest_sanitize_boolean() functions to the list of known "sanitizing" functions. Props [@​westonruter]. #​2530
• End-user documentation to the following existing sniffs: WordPress.DB.PreparedSQL (props [@​jaymcp], #​2454), WordPress.NamingConventions.ValidFunctionName (props [@​richardkorthuis] and [@​rodrigoprimo], #​2452, #​2531), WordPress.NamingConventions.ValidVariableName (props [@​richardkorthuis], #​2457).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

• The minimum required PHP_CodeSniffer version to 3.13.0 (was 3.9.0). #​2532
• The minimum required PHPCSUtils version to 1.1.0 (was 1.0.10). #​2532
• The minimum required PHPCSExtra version to 1.4.0 (was 1.2.1). #​2532
• Sniffs based on the AbstractFunctionParameterSniff will now call a dedicated process_first_class_callable() method for PHP 8.1+ first class callables. Props [@​rodrigoprimo], [@​jrfnl]. #​2518, #​2544
  By default, the method won't do anything, but individual sniffs extending the AbstractFunctionParameterSniff class can choose to implement the method to handle first class callables.
  Previously, first class callables were treated as a function call without parameters and would trigger the process_no_parameters() method.
• The minimum required prefix length for the WordPress.NamingConventions.PrefixAllGlobals sniff has been changed from 3 to 4 characters. Props [@​davidperezgar]. #​2479
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.5. #​2553
• WordPress.NamingConventions.ValidVariableName now allows for PHP 8.4 properties in interfaces. #​2532
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.Capabilities has been updated to recognize new capabilities introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedParameterValues now detects parameter values deprecated in WordPress up to WP 6.8.1. #​2537
• Minor performance improvements.
• Developer happiness: prevent creating a composer.lock file. Thanks [@​fredden]! #​2443
• Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo] and [@​szepeviktor].
• All sniffs are now also being tested against PHP 8.4 for consistent sniff results. #​2511

Deprecated

Removed

• The Generic.Functions.CallTimePassByReference has been removed from the WordPress-Extra ruleset. Props [@​rodrigoprimo]. #​2536
  This sniff was dated anyway and deprecated in PHP_CodeSniffer. If you need to check if your code is PHP cross-version compatible, use the [PHPCompatibility] standard instead.

Fixed

• Sniffs based on the AbstractClassRestrictionsSniff could previously run into a PHPCS Internal.Exception, leading to fixes not being made. #​2500
• Sniffs based on the AbstractFunctionParameterSniff will now bow out more often when it is sure the code under scan is not calling the target function and during live coding, preventing false positives. Props [@​rodrigoprimo]. #​2518

v3.1.0

Compare Source

Added

• WordPress-Core ruleset: now includes the Universal.PHP.LowercasePHPTag sniff.
• WordPress-Extra ruleset: now includes the Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence and the Universal.CodeAnalysis.NoDoubleNegative sniffs.
• The sanitize_locale_name() function to the list of known "escaping" functions. Props [@​Chouby]
• The sanitize_locale_name() function to the list of known "sanitize & unslash" functions. Props [@​Chouby]

Changed

• The minimum required PHP_CodeSniffer version to 3.9.0 (was 3.7.2).
• The minimum required PHPCSUtils version to 1.0.10 (was 1.0.8).
• The minimum required PHPCSExtra version to 1.2.1 (was 1.1.0).
  Please ensure you run composer update wp-coding-standards/wpcs --with-dependencies to benefit from these updates.
• Core ruleset: the spacing after the use keyword for closure use statements will now consistently be checked. Props [@​westonruter] for reporting.
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.2.
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP 6.4 and 6.5.
• WordPress.NamingConventions.ValidPostTypeSlug has been updated to recognize reserved post types introduced in WP 6.4 and 6.5.
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP 6.4 and 6.5.
• WordPress.WP.DeprecatedClasses now detects classes deprecated in WordPress up to WP 6.5.
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.5.
• The IsUnitTestTrait will now recognize classes which extend the new WP Core WP_Font_Face_UnitTestCase class as test classes.
• The test suite can now run on PHPUnit 4.x - 9.x (was 4.x - 7.x), which should make contributing more straight forward.
• Various housekeeping, includes a contribution from [@​rodrigoprimo].

Fixed

• WordPress.WP.PostsPerPage could potentially result in an Internal.Exception when encountering a query string which doesn't include the value for posts_per_page in the query string. Props [@​anomiex] for reporting.

v3.0.1

Compare Source

Added

• In WordPressCS 3.0.0, the functionality of the WordPress.Security.EscapeOutput sniff was updated to report unescaped message parameters passed to exceptions created in throw statements. This specific violation now has a separate error code: ExceptionNotEscaped. This will allow users to ignore or exclude that specific error code. Props [@​anomiex].
  The error code(s) for other escaping issues flagged by the sniff remain unchanged.

Changed

• Updated the CI workflow to test the example ruleset for issues.
• Funding files and updates in the Readme about funding the project.

Fixed

• Fixed a sniff name in the phpcs.xml.dist.sample file (case-sensitive sniff name). Props [@​dawidurbanski].

v3.0.0

Compare Source

Important information about this release:

At long last... WordPressCS 3.0.0 is here.

This is an important release which makes significant changes to improve the accuracy, performance, stability and maintainability of all sniffs, as well as making WordPressCS much better at handling modern PHP.

WordPressCS 3.0.0 contains breaking changes, both for people using ignore annotations, people maintaining custom rulesets, as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

If you are an end-user or maintain a custom WordPressCS based ruleset, please start by reading the Upgrade Guide to WordPressCS 3.0.0 for end-users which lists the most important changes and contains a step by step guide for upgrading.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WordPressCS sniffs, please read the Upgrade Guide to WordPressCS 3.0.0 for Developers.

In all cases, please read the complete changelog carefully before you upgrade.

Added

• Dependencies on the following packages: PHPCSUtils, PHPCSExtra and the [Composer PHPCS plugin].
• A best effort has been made to add support for the new PHP syntaxes/features to all WordPressCS native sniffs and utility functions (or to verify/improve existing support).
  While support in external sniffs used by WordPressCS has not be exhaustively verified, a lot of work has been done to try and add support for new PHP syntaxes to those as well.
  WordPressCS native sniffs and utilities have received fixes for the following syntaxes:
  • PHP 7.2
    • Keyed lists.
  • PHP 7.3
    • Flexible heredoc/nowdoc (providing the PHPCS scan is run on PHP 7.3 or higher).
    • Trailing commas in function calls.
  • PHP 7.4
    • Arrow functions.
    • Array unpacking in array expressions.
    • Numeric literals with underscores.
    • Typed properties.
    • Null coalesce equals operator.
  • PHP 8.0
    • Nullsafe object operators.
    • Match expressions.
    • Named arguments in function calls.
    • Attributes.
    • Union types // including supporting the false and null types.
    • Constructor property promotion.
    • $object::class
    • Throw as an expression.
  • PHP 8.1
    • Enumerations.
    • Explicit octal notation.
    • Final class constants
    • First class callables.
    • Intersection types.
  • PHP 8.2
    • Constants in traits.
• New WordPress.CodeAnalysis.AssignmentInTernaryCondition sniff to the WordPress-Core ruleset which partially replaces the removed WordPress.CodeAnalysis.AssignmentInCondition sniff.
• New WordPress.WhiteSpace.ObjectOperatorSpacing sniff which replaces the use of the Squiz.WhiteSpace.ObjectOperatorSpacing sniff in the WordPress-Core ruleset.
• New WordPress.WP.ClassNameCase sniff to the WordPress-Core ruleset, to check that any class name references to WP native classes and classes from external dependencies use the case of the class as per the class declaration.
• New WordPress.WP.Capabilities sniff to the WordPress-Extra ruleset. This sniff checks that valid capabilities are used, not roles or user levels. Props, amongst others, to [@​grappler] and [@​khacoder].
  Custom capabilities can be added to the sniff via a custom_capabilities ruleset property.
  The sniff also supports the minimum_wp_version property to allow the sniff to accurately determine how the use of deprecated capabilities should be flagged.
• The WordPress.WP.CapitalPDangit sniff contains a new check to verify the correct spelling of WordPress in namespace names.
• The WordPress.WP.I18n sniff contains a new EmptyTextDomain error code for an empty text string being passed as the text domain, which overrules the default value of the parameter and renders a text untranslatable.
• The WordPress.DB.PreparedSQLPlaceholders sniff has been expanded with additional checks for the correct use of the %i placeholder, which was introduced in WP 6.2. Props [@​craigfrancis].
  The sniff now also supports the minimum_wp_version ruleset property to determine whether the %i placeholder can be used.
• WordPress-Core: the following additional sniffs (or select error codes from these sniffs) have been added to the ruleset: Generic.CodeAnalysis.AssignmentInCondition, Generic.CodeAnalysis.EmptyPHPStatement (replaces the WordPressCS native sniff), Generic.VersionControl.GitMergeConflict, Generic.WhiteSpace.IncrementDecrementSpacing, Generic.WhiteSpace.LanguageConstructSpacing, Generic.WhiteSpace.SpreadOperatorSpacingAfter, PSR2.Classes.ClassDeclaration, PSR2.Methods.FunctionClosingBrace, PSR12.Classes.ClassInstantiation, PSR12.Files.FileHeader (select error codes only), PSR12.Functions.NullableTypeDeclaration, PSR12.Functions.ReturnTypeDeclaration, PSR12.Traits.UseDeclaration, Squiz.Functions.MultiLineFunctionDeclaration (replaces part of the WordPress.WhiteSpace.ControlStructureSpacing sniff), Modernize.FunctionCalls.Dirname, NormalizedArrays.Arrays.ArrayBraceSpacing (replaces part of the WordPress.Arrays.ArrayDeclarationSpacing sniff), NormalizedArrays.Arrays.CommaAfterLast (replaces the WordPressCS native sniff), Universal.Classes.ModifierKeywordOrder, Universal.Classes.RequireAnonClassParentheses, Universal.Constants.LowercaseClassResolutionKeyword, Universal.Constants.ModifierKeywordOrder, Universal.Constants.UppercaseMagicConstants, Universal.Namespaces.DisallowCurlyBraceSyntax, Universal.Namespaces.DisallowDeclarationWithoutName, Universal.Namespaces.OneDeclarationPerFile, Universal.NamingConventions.NoReservedKeywordParameterNames, Universal.Operators.DisallowShortTernary (replaces the WordPressCS native sniff), Universal.Operators.DisallowStandalonePostIncrementDecrement, Universal.Operators.StrictComparisons (replaces the WordPressCS native sniff), Universal.Operators.TypeSeparatorSpacing, Universal.UseStatements.DisallowMixedGroupUse, Universal.UseStatements.KeywordSpacing, Universal.UseStatements.LowercaseFunctionConst, Universal.UseStatements.NoLeadingBackslash, Universal.UseStatements.NoUselessAliases, Universal.WhiteSpace.CommaSpacing, Universal.WhiteSpace.DisallowInlineTabs (replaces the WordPressCS native sniff), Universal.WhiteSpace.PrecisionAlignment (replaces the WordPressCS native sniff), Universal.WhiteSpace.AnonClassKeywordSpacing.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.CodeAnalysis.UnusedFunctionParameter, Universal.Arrays.DuplicateArrayKey, Universal.CodeAnalysis.ConstructorDestructorReturn, Universal.CodeAnalysis.ForeachUniqueAssignment, Universal.CodeAnalysis.NoEchoSprintf, Universal.CodeAnalysis.StaticInFinalClass, Universal.ControlStructures.DisallowLonelyIf, Universal.Files.SeparateFunctionsFromOO.
• WordPress.Utils.I18nTextDomainFixer: the load_script_textdomain() function to the functions the sniff looks for.
• WordPress.WP.AlternativeFunctions: the following PHP native functions have been added to the sniff and will now be flagged when used: unlink() (in a new unlink group) , rename() (in a new rename group), chgrp(), chmod(), chown(), is_writable() is_writeable(), mkdir(), rmdir(), touch(), fputs() (in the existing file_system_operations group, which was previously named file_system_read). Props [@​sandeshjangam] and [@​JDGrimes].
• The PHPUnit_Adapter_TestCase class to the list of "known test (case) classes".
• The antispambot() function to the list of known "formatting" functions.
• The esc_xml() and wp_kses_one_attr() functions to the list of known "escaping" functions.
• The wp_timezone_choice() and wp_readonly() functions to the list of known "auto escaping" functions.
• The sanitize_url() and wp_kses_one_attr() functions to the list of known "sanitizing" functions.
• Metrics for blank lines at the start/end of a control structure body to the WordPress.WhiteSpace.ControlStructureSpacing sniff. These can be displayed using --report=info when the blank_line_check property has been set to true.
• End-user documentation to the following new and pre-existing sniffs: WordPress.DateTime.RestrictedFunctions, WordPress.NamingConventions.PrefixAllGlobals (props [@​Ipstenu]), WordPress.PHP.StrictInArray (props [@​marconmartins]), WordPress.PHP.YodaConditions (props [@​Ipstenu]), WordPress.WhiteSpace.ControlStructureSpacing (props [@​ckanitz]), WordPress.WhiteSpace.ObjectOperatorSpacing, WordPress.WhiteSpace.OperatorSpacing (props [@​ckanitz]), WordPress.WP.CapitalPDangit (props [@​NielsdeBlaauw]), WordPress.WP.Capabilities, WordPress.WP.ClassNameCase, WordPress.WP.EnqueueResourceParameters (props [@​NielsdeBlaauw]).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.
  Note: all sniffs which have been added from PHPCSExtra (Universal, Modernize, NormalizedArrays sniffs) are also fully documented.

Added (internal/dev-only)

• New Helper classes:
  • ArrayWalkingFunctionsHelper
  • ConstantsHelper *
  • ContextHelper *
  • DeprecationHelper *
  • FormattingFunctionsHelper
  • ListHelper *
  • RulesetPropertyHelper *
  • SnakeCaseHelper *
  • UnslashingFunctionsHelper
  • ValidationHelper
  • VariableHelper *
  • WPGlobalVariablesHelper
  • WPHookHelper
• New Helper traits:
  • EscapingFunctionsTrait
  • IsUnitTestTrait
  • MinimumWPVersionTrait
  • PrintingFunctionsTrait
  • SanitizationHelperTrait *
  • WPDBTrait

These classes and traits mostly contain pre-existing functionality moved from the Sniff class.
The classes marked with an * are considered internal and do not have any promise of future backward compatibility.

More information is available in the Upgrade Guide to WordPressCS 3.0.0 for Developers.

Changed

• As of this version, installation via Composer is the only supported manner of installation.
  Installing in a different manner (git clone/PEAR/PHAR) is still possible, but no longer supported.
• The minimum required PHP_CodeSniffer version to 3.7.2 (was 3.3.1).
• Composer: the package will now identify itself as a static analysis tool.
• The PHP filter, libxml and XMLReader extensions are now explicitly required.
  It is recommended to also have the Mbstring and iconv extensions enabled for the most accurate results.
• The release branch has been renamed from master to main.
• The following sniffs have been moved from WordPress-Extra to WordPress-Core: the Generic.Files.OneObjectStructurePerFile (also changed from warning to error),
  Generic.PHP.BacktickOperator, PEAR.Files.IncludingFile, PSR2.Classes.PropertyDeclaration, PSR2.Methods.MethodDeclaration, Squiz.Scope.MethodScope, Squiz.WhiteSpace.ScopeKeywordSpacing sniffs. Props, amongst others, to [@​desrosj].
• WordPress-Core: The Generic.Arrays.DisallowShortArraySyntax sniff has been replaced by the Universal.Arrays.DisallowShortArraySyntax sniff.
  The new sniff will recognize short lists correctly and ignore them.
• WordPress-Core: The Generic.Files.EndFileNewline sniff has been replaced by the more comprehensive PSR2.Files.EndFileNewline sniff.
• A number of sniffs support setting the minimum WP version for the code being scanned.
  This could be done in two different ways:
  1. By setting the minimum_supported_version property for each sniff from a ruleset.
  2. By passing --runtime-set minimum_supported_wp_version #.# on the command line.
     The names of the property and the CLI setting have now been aligned to both use minimum_wp_version as the name.
     Both ways of passing the value are still supported.
• WordPress.NamingConventions.PrefixAllGlobals: the custom_test_class_whitelist property has been renamed to custom_test_classes.
• WordPress.NamingConventions.ValidVariableName: the customPropertiesWhitelist property has been renamed to allowed_custom_properties.
• WordPress.PHP.NoSilencedErrors: the custom_whitelist property has been renamed to customAllowedFunctionsList.
• WordPress.PHP.NoSilencedErrors: the use_default_whitelist property has been renamed to usePHPFunctionsList.
• WordPress.WP.GlobalVariablesOverride: the custom_test_class_whitelist property has been renamed to custom_test_classes.
• Sniffs are now able to handle fully qualified names for custom test classes provided via a custom_test_classes (previously custom_test_class_whitelist) ruleset property.
• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.0.
• WordPress.NamingConventions.PrefixAllGlobals now takes new pluggable constants into account as introduced in WordPress up to WP 6.3.
• WordPress.NamingConventions.ValidPostTypeSlug now takes new reserved post types into account as introduced in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedClasses now detects classes deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedParameterValues now detects parameter values deprecated in WordPress up to WP 6.3.
• WordPress.Utils.I18nTextDomainFixer: the lists of recognized plugin and theme header tags has been updated based on the current information in the plugin and theme handbooks.
• WordPress.WP.AlternativeFunctions: the "group" name file_system_read, which can be used with the exclude property, has been renamed to file_system_operations.
  This also means that the error codes for individual functions flagged via that group have changed from WordPress.WP.AlternativeFunctions.file_system_read_* to WordPress.WP.AlternativeFunctions.file_system_operations_*.
• WordPress.WP.CapitalPDangit: the Misspelled error code has been split into two error codes - MisspelledInText and MisspelledInComment - to allow for more modular exclusions/selectively turning off the auto-fixer for the sniff.
• WordPress.WP.I18n no longer throws both the MissingSingularPlaceholder and the MismatchedPlaceholders for the same code, as the errors have an overlap.
• WordPress-Core: previously only the spacing around commas in arrays, function declarations and function calls was checked. Now, the spacing around commas will be checked in all contexts.
• WordPress.Arrays.ArrayKeySpacingRestrictions: a new SpacesBetweenBrackets error code has been introduced for the spacing between square brackets for array assignments without key. Previously, this would throw a NoSpacesAroundArrayKeys error with an unclear error message.
• WordPress.Files.FileName now recognizes more word separators, meaning that files using other word separators than underscores will now be flagged for not using hyphenation.
• WordPress.Files.FileName now checks if a file contains a test class and if so, will bow out.
  This change was made to prevent issues with PHPUnit 9.1+, which strongly prefers PSR4-style file names.
  Whether something is test class or not is based on a pre-defined list of "known" test case classes which can be extended and, optionally, a list of user provided test case classes provided via setting the custom_test_classes property in a custom ruleset or the complete test directory can be excluded via a custom ruleset.
• WordPress.NamingConventions.PrefixAllGlobals now allows for pluggable functions and classes, which should not be prefixed when "plugged".
• WordPress.PHP.NoSilencedErrors: the metric, which displays in the info report, has been renamed from "whitelisted function call" to "silencing allowed function call".
• WordPress.Security.EscapeOutput now flags the use of get_search_query( false ) when generating output (as the false turns off the escaping).
• WordPress.Security.EscapeOutput now also examines parameters passed for exception creation in throw statements and expressions for correct escaping.
• WordPress.Security.ValidatedSanitizedInput now examines all superglobal (except for $GLOBALS). Previously, the $_SESSION and $_ENV superglobals would not be flagged as needing validation/sanitization.
• WordPress.WP.I18n now recognizes the new PHP 8.0+ h and H type specifiers.
• WordPress.WP.PostsPerPage has improved recognition for numbers prefixed with a unary operator and non-decimal numbers.
• WordPress.DB.PreparedSQL will identify more precisely the code which is problematic.
• WordPress.DB.PreparedSQLPlaceholders will identify more precisely the code which is problematic.
• WordPress.DB.SlowDBQuery will identify more precisely the code which is problematic.
• WordPress.Security.PluginMenuSlug: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.DiscouragedConstants: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.EnqueuedResourceParameters: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.I18n: the errors will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.PostsPerPage will identify more precisely the code which is problematic.
• WordPress.PHP.TypeCasts.UnsetFound has been changed from a warning to an error as the (unset) cast is no longer available in PHP 8.0 and higher.
• WordPress.WP.EnqueuedResourceParameters.MissingVersion has been changed from an error to a warning.
• WordPress.Arrays.ArrayKeySpacingRestrictions: improved the clarity of the error messages for the TooMuchSpaceBeforeKey and TooMuchSpaceAfterKey error codes.
• WordPress.CodeAnalysis.EscapedNotTranslated: improved the clarity of the error message.
• WordPress.PHP.IniSet: improved the clarity of the error messages for the sniff.
• WordPress.PHP.PregQuoteDelimiter: improved the clarity of the error message for the Missing error code.
• WordPress.PHP.RestrictedFunctions: improved the clarity of the error messages for the sniff.
• WordPress.PHP.RestrictedPHPFunctions: improved the error message for the create_function_create_function error code.
• WordPress.PHP.TypeCast: improved the clarity of the error message for the UnsetFound error code. It will no longer advise assigning null.
• WordPress.Security.SafeRedirect: improved the clarity of the error message. (very minor)
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error messages for the MissingUnslash error code.
• WordPress.WhiteSpace.CastStructureSpacing: improved the clarity of the error message for the NoSpaceBeforeOpenParenthesis error code.
• WordPress.WP.I18n: improved the clarity of the error messages for the sniff.
• WordPress.WP.I18n: the error messages will now use the correct parameter name.
• The error messages for the WordPress.CodeAnalysis.EscapedNotTranslated, WordPress.NamingConventions.PrefixAllGlobals, WordPress.NamingConventions.ValidPostTypeSlug, WordPress.PHP.IniSet, and the WordPress.PHP.NoSilencedErrors sniff will now display the code sample found without comments and extranuous whitespace.
• Various updates to the README, the example ruleset and other documentation. Props, amongst others, to [@​Luc45], [@​slaFFik].
• Continuous Integration checks are now run via GitHub Actions. Props [@​desrosj].
• Various other CI/QA improvements.
• Code coverage will now be monitored via CodeCov.
• All sniffs are now also being tested against PHP 8.0, 8.1, 8.2 and 8.3 for consistent sniff results.

Changed (internal/dev-only)

• All non-abstract classes in WordPressCS are now final with the exception of the following four classes which are known to be extended by external PHPCS standards build on top of WordPressCS: WordPress.NamingConventions.ValidHookName, WordPress.Security.EscapeOutput,WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.
• Most remaining utility properties and methods, previously contained in the WordPressCS\WordPress\Sniff class, have been moved to dedicated Helper classes and traits or, in some cases, to the sniff class using them.
  As this change is only relevant for extenders, the full details of these moves are not included in this changelog, but can be found in the Developers Upgrade Guide to WordPressCS 3.0.0
• A few customizable public properties, which were used by multiple sniffs, have been moved from *Sniff classes to traits. Again, the full details of these moves are not included in this changelog, but can be found in the Developers Upgrade Guide to WordPressCS 3.0.0
• A number of non-public properties in sniffs have been renamed.
  As this change is only relevant for extenders, the full details of these renames are not included in this changelog, but can be found in the Developers Upgrade Guide to WordPressCS 3.0.0
• AbstractFunctionRestrictionsSniff: The whitelist key in the $groups array property has been renamed to allow.
• The WordPress.NamingConventions.ValidFunctionName sniff no longer extends the similar PHPCS native PEAR sniff.

Removed

• Support for the deprecated, old-style WordPressCS native ignore annotations. Use the PHPCS native selective ignore annotations instead.
• The following WordPressCS native sniffs have been removed:
  • The WordPress.Arrays.CommaAfterArrayItem sniff (replaced by the NormalizedArrays.Arrays.CommaAfterLast and the Universal.WhiteSpace.CommaSpacing sniffs).
  • The WordPress.Classes.ClassInstantiation sniff (replaced by the PSR12.Classes.ClassInstantiation, Universal.Classes.RequireAnonClassParentheses and Universal.WhiteSpace.AnonClassKeywordSpacing sniffs).
  • The WordPress.CodeAnalysis.AssignmentInCondition sniff (replaced by the Generic.CodeAnalysis.AssignmentInCondition and the WordPress.CodeAnalysis.AssignmentInTernaryCondition sniffs).
  • The WordPress.CodeAnalysis.EmptyStatement sniff (replaced by the Generic.CodeAnalysis.EmptyPHPStatement sniff).
  • The WordPress.PHP.DisallowShortTernary sniff (replaced by the Universal.Operators.DisallowShortTernary sniff).
  • The WordPress.PHP.StrictComparisons sniff (replaced by the Universal.Operators.StrictComparisons sniff).
  • The WordPress.WhiteSpace.DisallowInlineTabs sniff (replaced by the Universal.WhiteSpace.DisallowInlineTabs sniff).
  • The WordPress.WhiteSpace.PrecisionAlignment sniff (replaced by the Universal.WhiteSpace.PrecisionAlignment sniff).
  • The WordPress.WP.TimezoneChange sniff (replaced by the WordPress.DateTime.RestrictedFunctions sniff). This sniff was previously already deprecated.
• WordPress-Extra: The Squiz.WhiteSpace.LanguageConstructSpacing sniff (replaced by the added, more comprehensive Generic.WhiteSpace.LanguageConstructSpacing sniff in the WordPress-Core ruleset).
• WordPress.Arrays.ArrayDeclarationSpacing: array brace spacing checks (replaced by the NormalizedArrays.Arrays.ArrayBraceSpacing sniff).
• WordPress.WhiteSpace.ControlStructureSpacing: checks for the spacing for function declarations (replaced by the Squiz.Functions.MultiLineFunctionDeclaration sniff).
  Includes removal of the spaces_before_closure_open_paren property for this sniff.
• WordPress.WP.I18n: the check_translator_comments property.
  Exclude the WordPress.WP.I18n.MissingTranslatorsComment and the WordPress.WP.I18n.TranslatorsCommentWrongStyle error codes instead.
• WordPressCS will no longer check for assigning the return value of an object instantiation by reference.
  This is a PHP parse error since PHP 7.0. Use the PHPCompatibilityWP standard to check for PHP cross-version compatibility issues.
• The check for object instantiations will no longer check JavaScript files.
• The WordPress.Arrays.ArrayKeySpacingRestrictions.MissingBracketCloser error code as sniffs should not report on parse errors.
• The WordPress.CodeAnalysis.AssignmentIn[Ternary]Condition.NonVariableAssignmentFound error code as sniffs should not report on parse errors.
• The Block_Supported_Styles_Test class will no longer incorrectly be recognized as an extendable test case class.

Removed (internal/dev-only)

• AbstractArrayAssignmentRestrictionsSniff: support for the optional 'callback' key in the array returned by getGroups().
• WordPressCS\WordPress\PHPCSHelper class (use the PHPCSUtils\BackCompat\Helper class instead).
• WordPressCS\WordPress\Sniff::addMessage() method (use the PHPCSUtils\Utils\MessageHelper::addMessage() method instead).
• WordPressCS\WordPress\Sniff::addFixableMessage() method (use the PHPCSUtils\Utils\MessageHelper::addFixableMessage() method instead).
• WordPressCS\WordPress\Sniff::determine_namespace() method (use the PHPCSUtils\Utils\Namespaces::determineNamespace() method instead).
• WordPressCS\WordPress\Sniff::does_function_call_have_parameters() method (use the PHPCSUtils\Utils\PassedParameters::hasParameters() method instead).
• WordPressCS\WordPress\Sniff::find_array_open_close() method (use the PHPCSUtils\Utils\Arrays::getOpenClose() method instead).
• WordPressCS\WordPress\Sniff::find_list_open_close() method (use the PHPCSUtils\Utils\Lists::getOpenClose() method instead).
• WordPressCS\WordPress\Sniff::get_declared_namespace_name() method (use the PHPCSUtils\Utils\Namespaces::getDeclaredName() method instead).
• WordPressCS\WordPress\Sniff::get_function_call_parameter_count() method (use the PHPCSUtils\Utils\PassedParameters::getParameterCount() method instead).
• WordPressCS\WordPress\Sniff::get_function_call_parameters() method (use the PHPCSUtils\Utils\PassedParameters::getParameters() method instead).
• WordPressCS\WordPress\Sniff::get_function_call_parameter() method (use the PHPCSUtils\Utils\PassedParameters::getParameter() method instead).
• WordPressCS\WordPress\Sniff::get_interpolated_variables() method (use the PHPCSUtils\Utils\TextStrings::getEmbeds() method instead).
• WordPressCS\WordPress\Sniff::get_last_ptr_on_line() method (no replacement available at this time).
• WordPressCS\WordPress\Sniff::get_use_type() method (use the PHPCSUtils\Utils\UseStatements::getType() method instead).
• WordPressCS\WordPress\Sniff::has_whitelist_comment() method (no replacement).
• WordPressCS\WordPress\Sniff::$hookFunctions property (no replacement available at this time).
• WordPressCS\WordPress\Sniff::init() method (no replacement).
• WordPressCS\WordPress\Sniff::is_class_constant() method (use the PHPCSUtils\Utils\Scopes::isOOConstant() method instead).
• WordPressCS\WordPress\Sniff::is_class_property() method (use the PHPCSUtils\Utils\Scopes::isOOProperty() method instead).
• WordPressCS\WordPress\Sniff::is_foreach_as() method (use the PHPCSUtils\Utils\Context::inForeachCondition() method instead).
• WordPressCS\WordPress\Sniff::is_short_list() method (depending on your needs, use the PHPCSUtils\Utils\Lists::isShortList() or the PHPCSUtils\Utils\Arrays::isShortArray() method instead).
• WordPressCS\WordPress\Sniff::is_token_in_test_method() method (no replacement available at this time).
• WordPressCS\WordPress\Sniff::REGEX_COMPLEX_VARS constant (use the PHPCSUtils PHPCSUtils\Utils\TextStrings::stripEmbeds() and PHPCSUtils\Utils\TextStrings::getEmbeds() methods instead).
• WordPressCS\WordPress\Sniff::string_to_errorcode() method (use the PHPCSUtils\Utils\MessageHelper::stringToErrorcode() method instead).
• WordPressCS\WordPress\Sniff::strip_interpolated_variables() method (use the PHPCSUtils\Utils\TextStrings::stripEmbeds() method instead).
• WordPressCS\WordPress\Sniff::strip_quotes() method (use the PHPCSUtils\Utils\TextStrings::stripQuotes() method instead).
• WordPressCS\WordPress\Sniff::valid_direct_scope() method (use the PHPCSUtils\Utils\Scopes::validDirectScope() method instead).
• Unused dev-only files in the (now removed) bin directory.

Fixed

• All sniffs which, in one way or another, check whether code represents a short list or a short array will now do so more accurately.
  This fixes various false positives and false negatives.
• Sniffs supporting the minimum_wp_version property (previously minimum_supported_version) will no longer throw a "passing null to non-nullable" deprecation notice on PHP 8.1+.
• WordPress.WhiteSpace.ControlStructureSpacing no longer throws a TypeError on PHP 8.0+.
• WordPress.NamingConventions.PrefixAllGlobalsno longer throws a "passing null to non-nullable" deprecation notice on PHP 8.1+.
• WordPress.WP.I18n no longer throws a "passing null to non-nullable" deprecation notice on PHP 8.1+.
• VariableHelper::is_comparison() (previously Sniff::is_comparison()): fixed risk of undefined array key notice when scanning code containing parse errors.
• AbstractArrayAssignmentRestrictionsSniff could previously get confused when it encountered comments in unexpected places.
  This fix has a positive impact on all sniffs which are based on this abstract (2 sniffs).
• AbstractArrayAssignmentRestrictionsSniff no longer examines numeric string keys as PHP treats those as integer keys, which were never intended as the target of this abstract.
  This fix has a positive impact on all sniffs which are based on this abstract (2 sniffs).
• AbstractArrayAssignmentRestrictionsSniff in case of duplicate entries, the sniff will now only examine the last value, as that's the value PHP will see.
  This fix has a positive impact on all sniffs which are based on this abstract (2 sniffs).
• AbstractArrayAssignmentRestrictionsSniff now determines the assigned value with higher accuracy.
  This fix has a positive impact on all sniffs which are based on this abstract (2 sniffs).
• AbstractClassRestrictionsSniff now treats the namespace keyword when used as an operator case-insensitively.
  This fix has a positive impact on all sniffs which are based on this abstract (3 sniffs).
• AbstractClassRestrictionsSniff now treats the hierarchy keywords (self, parent, static) case-insensitively.
  This fix has a positive impact on all sniffs which are based on this abstract (3 sniffs).
• AbstractClassRestrictionsSniff now limits itself correctly when trying to find a class name before a ::.
  This fix has a positive impact on all sniffs which are based on this abstract (3 sniffs).
• AbstractClassRestrictionsSniff: false negatives on class instantiation statements ending on a PHP close tag.
  This fix has a positive impact on all sniffs which are based on this abstract (3 sniffs).
• AbstractClassRestrictionsSniff: false negatives on class instantiation statements combined with method chaining.
  This fix has a positive impact on all sniffs which are based on this abstract (3 sniffs).
• AbstractFunctionRestrictionsSniff: false positives on function declarations when the function returns by reference.
  This fix has a positive impact on all sniffs which are based on this abstract (nearly half of the WordPressCS sniffs).
• AbstractFunctionRestrictionsSniff: false positives on instantiation of a class with the same name as a targeted function.
  This fix has a positive impact on all sniffs which are based on this abstract (nearly half of the WordPressCS sniffs).
• AbstractFunctionRestrictionsSniff now respects that function names in PHP are case-insensitive in more places.
  This fix has a positive impact on all sniffs which are based on this abstract (nearly half of the WordPressCS sniffs).
• Various utility methods in Helper classes/traits have received fixes to correctly treat function and class names as case-insensitive.
  These fixes have a positive impact on all sniffs using these methods.
• Version comparisons done by sniffs supporting the minimum_wp_version property (previously minimum_supported_version) will now be more precise.
• WordPress.Arrays.ArrayIndentation now ignores indentation issues for array items which are not the first thing on a line. This fixes a potential fixer conflict.
• WordPress.Arrays.ArrayKeySpacingRestrictions: signed positive integer keys will now be treated the same as signed negative integer keys.
• WordPress.Arrays.ArrayKeySpacingRestrictions: keys consisting of calculations will now be recognized more accurately.
• WordPress.Arrays.ArrayKeySpacingRestrictions.NoSpacesAroundArrayKeys: now has better protection in case of a fixer conflict.
• WordPress.Classes.ClassInstantiation could create parse errors when fixing a class instantiation using variable variables. This has been fixed by replacing the sniff with the PSR12.Classes.ClassInstantiation sniff (and some others).
• WordPress.DB.DirectDatabaseQuery could previously get confused when it encountered comments in unexpected places.
• WordPress.DB.DirectDatabaseQuery now respects that function (method) names in PHP are case-insensitive.
• WordPress.DB.DirectDatabaseQuery now only looks at the current statement to find a method call to the $wpdb object.
• WordPress.DB.DirectDatabaseQuery no longer warns about TRUNCATE queries as those cannot be cached and need a direct database query.
• WordPress.DB.PreparedSQL could previously get confused when it encountered comments in unexpected places.
• WordPress.DB.PreparedSQL now respects that function names in PHP are case-insensitive.
• WordPress.DB.PreparedSQL improved recognition of interpolated variables and expressions in the $text argument. This fixes both some false negatives as well as some false positives.
• WordPress.DB.PreparedSQL stricter recognition of the $wpdb variable in double quoted query strings.
• WordPress.DB.PreparedSQL false positive for floating point numbers concatenated into an SQL query.
• WordPress.DB.PreparedSQLPlaceholders could previously get confused when it encountered comments in unexpected places.
• WordPress.DB.PreparedSQLPlaceholders now respects that function names in PHP are case-insensitive.
• WordPress.DB.PreparedSQLPlaceholders stricter recognition of the $wpdb variable in double quotes query strings.
• WordPress.DB.PreparedSQLPlaceholders false positive when a fully qualified function call is encountered in an implode( ', ', array_fill(...)) pattern.
• WordPress.Files.FileName no longer presumes a three character file extension.
• WordPress.NamingConventions.PrefixAllGlobals could previously get confused when it encountered comments in unexpected places in function calls which were being examined.
• WordPress.NamingConventions.PrefixAllGlobals now respects that function names in PHP are case-insensitive when checking whether a function declaration is polyfilling a PHP native function.
• WordPress.NamingConventions.PrefixAllGlobals improved false positive prevention for variable assignments via keyed lists.
• WordPress.NamingConventions.PrefixAllGlobals now only looks at the current statement when determining which variables were imported via a global statement. This prevents both false positives as well as false negatives.
• WordPress.NamingConventions.PrefixAllGlobals no longer gets confused over global statements in nested clsure/function declarations.
• WordPress.NamingConventions.ValidFunctionName now also checks the names of (global) functions when the declaration is nested within an OO method.
• WordPress.NamingConventions.ValidFunctionName no longer throws false positives for triple underscore methods.
• WordPress.NamingConventions.ValidFunctionName the suggested replacement names in the error message no longer remove underscores from a name in case of leading or trailing underscores, or multiple underscores in the middle of a name.
• WordPress.NamingConventions.ValidFunctionName the determination whether a name is in snake_case is now more accurate and has improved handling of non-ascii characters.
• WordPress.NamingConventions.ValidFunctionName now correctly recognizes a PHP4-style constructor when the class and the constructor method name contains non-ascii characters.
• WordPress.NamingConventions.ValidHookName no longer throws false positives when the hook name is generated via a function call and that function is passed string literals as parameters.
• WordPress.NamingConventions.ValidHookName now ignores parameters in a variable function call (like a call to a closure).
• WordPress.NamingConventions.ValidPostTypeSlug no longer throws false positives for interpolated text strings with complex embedded variables/expressions.
• WordPress.NamingConventions.ValidVariableName the suggested replacement names in the error message will no longer remove underscores from a name in case of leading or trailing underscores, or multiple underscores in the middle of a name.
• WordPress.NamingConventions.ValidVariableName the determination whether a name is in snake_case is now more accurate and has improved handling of non-ascii characters.
• WordPress.NamingConventions.ValidVariableName now examines all variables and variables in expressions in a text string containing interpolation.
• WordPress.NamingConventions.ValidVariableName now has improved recognition of variables in complex embedded variables/expressions in interpolated text strings.
• WordPress.PHP.IniSet no longer gets confused over comments in the code when determining whether the ini value is an allowed one.
• WordPress.PHP.NoSilencedErrors no longer throws an error when error silencing is encountered for function calls to the PHP native libxml_disable_entity_loader() and imagecreatefromwebp() methods.
• WordPress.PHP.StrictInArray no longer gets confused over comments in the code when determining whether the $strict parameter is used.
• WordPress.Security.EscapeOutput no longer throws a false positive on function calls where the parameters need escaping, when no parameters are being passed.
• WordPress.Security.EscapeOutput no longer throws a false positive when a fully qualified function call to the \basename() function is encountered within a call to _deprecated_file().
• WordPress.Security.EscapeOutput could previously get confused when it encountered comments in the $file parameter for _deprecated_file().
• WordPress.Security.EscapeOutput now ignores significantly more operators which should yield more accurate results.
• WordPress.Security.EscapeOutput now respects that function names in PHP are case-insensitive when checking whether a printing function is being used.
• WordPress.Security.EscapeOutput no longer throws an Internal.Exception when it encounters a constant or property mirroring the name of one of the printing functions being targeted, nor will it throw false positives for those.
• WordPress.Security.EscapeOutput no longer incorrectly handles method calls or calls to namespaced functions mirroring the name of one of the printing functions being targeted.
• WordPress.Security.EscapeOutput now ignores exit/die statements without a status being passed, preventing false positives on code after the statement.
• WordPress.Security.EscapeOutput now has improved recognition that print can also be used as an expression, not only as a statement.
• WordPress.Security.EscapeOutput now has much, much, much more accurate handling of code involving ternary expressions and should now correctly ignore the ternary condition in all long ternaries being examined.
• WordPress.Security.EscapeOutput no longer disregards the ternary condition in a short ternary.
• WordPress.Security.EscapeOutput no longer skips over a constant or property mirroring the name of one of the (auto-)escaping/formatting functions being targeted.
• WordPress.Security.EscapeOutput no longer throws false positives for *::class, which will always evaluate to a plain string.
• WordPress.Security.EscapeOutput no longer throws false positives on output generating keywords encountered in an inline expression.
• WordPress.Security.EscapeOutput no longer throws false positives on parameters passed to _e() or _ex(), which won't be used in the output.
• WordPress.Security.EscapeOutput no longer throws false positives on heredocs not using interpolation.
• WordPress.Security.NonceVerification now respects that function names in PHP are case-insensitive when checking whether an array comparison function is being used.
• WordPress.Security.NonceVerification now also checks for nonce verification when the $_FILES superglobal is being used.
• WordPress.Security.NonceVerification now ignores properties named after superglobals.
• WordPress.Security.NonceVerification now ignores list assignments to superglobals.
• WordPress.Security.NonceVerification now ignores superglobals being unset.
• WordPress.Security.ValidatedSanitizedInput now respects that function names in PHP are case-insensitive when checking whether an array comparison function is being used.
• WordPress.Security.ValidatedSanitizedInput now respects that function names in PHP are case-insensitive when checking whether a variable is being validated using [array_]key_exists().
• WordPress.Security.ValidatedSanitizedInput improved recognition of interpolated variables and expression in the text strings. This fixes some false negatives.
• WordPress.Security.ValidatedSanitizedInput no longer incorrectly regards an unset() as variable validation.
• WordPress.Security.ValidatedSanitizedInput no longer incorrectly regards validation in a nested scope as validation which applies to the superglobal being examined.
• WordPress.WP.AlternativeFunctions could previously get confused when it encountered comments in unexpected places.
• WordPress.WP.AlternativeFunctions now correctly takes the minimum_wp_version into account when determining whether a call to parse_url() could switch over to using wp_parse_url().
• WordPress.WP.CapitalPDangit now skips (keyed) list assignments to prevent false positives.
• WordPress.WP.CapitalPDangit now always skips all array keys, not just plain text array keys.
• WordPress.WP.CronInterval no longer throws a ChangeDetected warning for interval calculations wrapped in parentheses, but for which the value for the interval is otherwise known.
• WordPress.WP.CronInterval no longer throws a ChangeDetected warning for interval calculations using fully qualified WP native time constants, but for which the value for the interval is otherwise known.
• WordPress.WP.DeprecatedParameters no longer throws a false positive for function calls to comments_number() using the fourth parameter (which was deprecated, but has been repurposed since WP 5.4).
• `WordPress.WP.Dep

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot. Specmatic specific configuration is managed here.