Bump the composer-minor-patch group across 1 directory with 4 updates

[dependabot]

Bumps the composer-minor-patch group with 3 updates in the / directory: wp-coding-standards/wpcs, phpcompatibility/phpcompatibility-wp and automattic/vipwpcs.

Updates wp-coding-standards/wpcs from 3.0.1 to 3.3.0

Release notes

Sourced from wp-coding-standards/wpcs's releases.

3.3.0

Added

• Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props @​rodrigoprimo. #2559
• Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
• WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

• The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
• The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
• The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
• WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props @​rodrigoprimo. #2642
• README: updated testVersion recommendations for PHPCompatibility. Props @​johnjago. #2471
• Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
• All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
• Various housekeeping, including documentation and test improvements. Includes contributions by @​rodrigoprimo.

Deprecated

• The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

• wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props @​rodrigoprimo. #2613
• WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props @​rodrigoprimo. #2615
• WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props @​rodrigoprimo. #2570
• WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props @​rodrigoprimo. #2569
• WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props @​rodrigoprimo. #2605
• WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props @​rodrigoprimo. #2572
• WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
• WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props @​rodrigoprimo. #2630

3.2.0

Added

• New WordPress.WP.GetMetaSingle sniff to the WordPress-Extra ruleset. Props @​rodrigoprimo! #2465 This sniff warns when get_*_meta() and get_metadata*() functions are used with the $meta_key/$key param, but without the $single parameter as this could lead to unexpected behavior due to the different return types.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.Strings.UnnecessaryHeredoc and Generic.WhiteSpace.HereNowdocIdentifierSpacing. #2534
• The rest_sanitize_boolean() functions to the list of known "sanitizing" functions. Props @​westonruter. #2530
• End-user documentation to the following existing sniffs: WordPress.DB.PreparedSQL (props @​jaymcp, #2454), WordPress.NamingConventions.ValidFunctionName (props @​richardkorthuis and @​rodrigoprimo, #2452, #2531), WordPress.NamingConventions.ValidVariableName (props @​richardkorthuis, #2457), WordPress.PHP.DontExtract (props @​aiolachiara #2456). This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

• The minimum required PHP_CodeSniffer version to 3.13.0 (was 3.9.0). #2532

... (truncated)

Changelog

Sourced from wp-coding-standards/wpcs's changelog.

[3.3.0] - 2025-11-25

Added

• Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props [@​rodrigoprimo]. #2559
• Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
• WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

• The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
• The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
• The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
• WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props [@​rodrigoprimo]. #2642
• README: updated testVersion recommendations for PHPCompatibility. Props [@​johnjago]. #2471
• Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
• All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
• Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo].

Deprecated

• The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

• wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props [@​rodrigoprimo]. #2613
• WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props [@​rodrigoprimo]. #2615
• WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props [@​rodrigoprimo]. #2570
• WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props [@​rodrigoprimo]. #2569
• WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props [@​rodrigoprimo]. #2605
• WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props [@​rodrigoprimo]. #2572
• WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
• WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props [@​rodrigoprimo]. #2630

#2471: WordPress/WordPress-Coding-Standards#2471 #2559: WordPress/WordPress-Coding-Standards#2559 #2563: WordPress/WordPress-Coding-Standards#2563 #2566: WordPress/WordPress-Coding-Standards#2566 #2569: WordPress/WordPress-Coding-Standards#2569 #2570: WordPress/WordPress-Coding-Standards#2570 #2572: WordPress/WordPress-Coding-Standards#2572 #2573: WordPress/WordPress-Coding-Standards#2573 #2605: WordPress/WordPress-Coding-Standards#2605 #2608: WordPress/WordPress-Coding-Standards#2608

... (truncated)

Commits

• 7795ec6 Merge pull request #2658 from WordPress/develop
• 5025d83 Merge pull request #2657 from WordPress/feature/changelog-3.3.0
• c2b30bf Merge pull request #2656 from WordPress/feature/update-minimum-wp-version
• 12e2936 Changelog for the release of WordPressCS 3.3.0
• da2054d Merge pull request #2654 from WordPress/feature/directdatabasequery-update-fu...
• 7629477 Merge pull request #2651 from WordPress/feature/use-phpcompatibility-10.0.0-a...
• 7f36b9d Update the minimum_wp_version to WP 6.6
• 76eeb61 Merge pull request #2653 from WordPress/feature/ghactions-improve-dont-run-on...
• 3ef3f9d Merge pull request #2652 from WordPress/feature/update-for-wp-6.9
• 2e47aad Merge pull request #2649 from WordPress/feature/ghactions-update-for-php-8.5-...
• Additional commits viewable in compare view

Updates phpcompatibility/phpcompatibility-wp from 2.1.4 to 2.1.8

Release notes

Sourced from phpcompatibility/phpcompatibility-wp's releases.

2.1.8 - 2025-10-18

This is a maintenance release.

• The ruleset now includes schema tags.
• General housekeeping and maintenance.

2.1.7 - 2025-05-12

• Composer: The minimum supported version of PHP_CodeSniffer has been raised to 3.3.0.
• Ruleset: Prevent deprecation notice on PHP_CodeSniffer 3.13.0+.

2.1.6 - 2025-01-16

This is a maintenance release.

• README: Fixed some broken badges.
• General housekeeping and documentation updates. Including a contribution by @​johnbillion.

2.1.5 - 2024-04-25

• Ruleset: Updated for compatibility with WordPress 6.5. Thanks @​swissspidy.
• The recommended version of the Composer PHPCS plugin is now ^1.0.
• Other housekeeping and documentation updates. Includes contributions from @​fredden and @​johnbillion.

Changelog

Sourced from phpcompatibility/phpcompatibility-wp's changelog.

[2.1.8] - 2025-10-18

This is a maintenance release.

• The ruleset now includes schema tags.
• General housekeeping and maintenance.

[2.1.7] - 2025-05-12

• Composer: The minimum supported version of PHP_CodeSniffer has been raised to 3.3.0.
• Ruleset: Prevent deprecation notice on PHP_CodeSniffer 3.13.0+.

[2.1.6] - 2025-01-16

• README: Fixed some broken badges.
• General housekeeping and documentation updates. Including a contribution by [@​johnbillion].

[2.1.5] - 2024-04-25

• Ruleset: Updated for compatibility with WordPress 6.5. Thanks [@​swissspidy]
• The recommended version of the [Composer PHPCS plugin] is now ^1.0.
• Other housekeeping and documentation updates. Includes contributions from [@​fredden] and [@​johnbillion].

Commits

• 7c8d18b Merge pull request #75 from PHPCompatibility/feature/changelog-2.1.8
• e44ab9d Changelog for the release of version 2.1.8
• 8cecb58 CHANGELOG: fix bullet consistency
• 0ce84af Merge pull request #73 from PHPCompatibility/feature/dependabot-fix-config
• 280daa4 Dependabot: remove cooldown
• 014f1ed Merge pull request #72 from PHPCompatibility/feature/ghactions-set-minimal-pe...
• 17206f5 GH Actions: set permissions for each workflow/job
• c3795e0 Merge pull request #71 from PHPCompatibility/feature/ghactions-do-not-persist...
• ced596b GH Actions: do not persist credentials
• c7146e4 Merge pull request #70 from PHPCompatibility/feature/ghactions-pin-action-run...
• Additional commits viewable in compare view

Updates squizlabs/php_codesniffer from 3.9.0 to 3.13.5

Release notes

Sourced from squizlabs/php_codesniffer's releases.

3.13.5 - 2025-11-04

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to Rodrigo Primo and Juliette Reinders Folmer for their contributions.

Fixed

• Fixed bug #1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors: @​andrewnicols

Statistics

Closed: 2 issues Merged: 36 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

3.13.4 - 2025-09-05

Fixed

• Fixed bug #1213: ability to run tests for external standards using the PHPCS native test framework was broken.
  • Thanks to Juliette Reinders Folmer for the patch.
• Fixed bug #1215: PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Juliette Reinders Folmer for the patch.

Statistics

Closed: 0 issues Merged: 3 pull requests

... (truncated)

Changelog

Sourced from squizlabs/php_codesniffer's changelog.

[3.13.5] - 2025-11-04

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to [Rodrigo Primo][@​rodrigoprimo] and [Juliette Reinders Folmer][@​jrfnl] for their contributions.

Fixed

• Fixed bug #1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to [Andrew Lyons][@​andrewnicols] for the patch.
• Fixed bug #1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

#1216: PHPCSStandards/PHP_CodeSniffer#1216 #1279: PHPCSStandards/PHP_CodeSniffer#1279

[3.13.4] - 2025-09-05

Fixed

• Fixed bug #1213: ability to run tests for external standards using the PHPCS native test framework was broken.
  • Thanks to [Juliette Reinders Folmer][@​jrfnl] for the patch.
• Fixed bug #1215: PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to [Juliette Reinders Folmer][@​jrfnl] for the patch.

#1213: PHPCSStandards/PHP_CodeSniffer#1213 #1215: PHPCSStandards/PHP_CodeSniffer#1215

[3.13.3] - 2025-09-04

Added

• Tokenizer support for PHP 8.4 dereferencing of new expressions without wrapping parentheses. #1160
  • Thanks to [Juliette Reinders Folmer][@​jrfnl] for the patch.
• Tokenizer support for PHP 8.4 abstract properties. #1183
  • The File::getMemberProperties() method now also supports abstract properties through a new is_abstract array index in the return value. #1184
  • Additionally, the following sniffs have been updated to support abstract properties:
    • Generic.PHP.LowerCaseConstant #1185
    • Generic.PHP.UpperCaseConstant #1185
    • PSR2.Classes.PropertyDeclaration #1188

... (truncated)

Commits

• 0ca8684 Merge pull request #1305 from PHPCSStandards/feature/docs-minor-touch-up-befo...
• 3e7e576 Docs: various small fixes
• c3a2490 CHANGELOG: fix up missing credit
• 848341d Merge pull request #1304 from PHPCSStandards/feature/changelog-3.13.5
• 31c62de Changelog for the 3.13.5 release
• e163dbf PHP 8.5 | Tokenizer/PHP: properly fix "Using null as an array offset" depreca...
• af1b003 Merge pull request #1301 from PHPCSStandards/feature/e2e-tests-use-new-bashun...
• cf28362 E2E tests: use new bashunit assertion
• a82bffd Merge pull request #1298 from PHPCSStandards/dependabot/github_actions/3.x/ac...
• 0ae1271 Merge pull request #1299 from PHPCSStandards/dependabot/github_actions/3.x/ac...
• Additional commits viewable in compare view

Updates automattic/vipwpcs from 3.0.0 to 3.0.1

Release notes

Sourced from automattic/vipwpcs's releases.

3.0.1

Increases requirements for PHPCS from 3.7.2 to 3.9.2 for improved PHP 8.2 and PHP 8.3 support. Please ensure you run composer update automattic/vipwpcs --with-dependencies to benefit from this.

Removed

• Functions/RestrictedFunctions:
  • #812: Remove restricting term_exists().
  • #814: Remove restricting get_page_by_title().
  • #817: Remove restricting get_page_by_path().

Changed

• #799: Classes/DeclarationCompatibility: Sync signature definitions with WP Core.

Full Changelog: Automattic/VIP-Coding-Standards@3.0.0...3.0.1

Changelog

Sourced from automattic/vipwpcs's changelog.

[3.0.1] - 2024-05-14

Props: @​GaryJones, @​jrnfl, @​terriann, @​rebeccahum

Increases requirements for PHPCS from 3.7.2 to 3.9.2 for improved PHP 8.2 and PHP 8.3 support. Please ensure you run composer update automattic/vipwpcs --with-dependencies to benefit from this.

Removed

• Functions/RestrictedFunctions:
  • #812: Remove restricting term_exists().
  • #814: Remove restricting get_page_by_title().
  • #817: Remove restricting get_page_by_path().

Changed

• #799: Classes/DeclarationCompatibility: Sync signature definitions with WP Core.

Maintenance

• #797: GH: Add initial dependabot config file.
• GH Actions:
  • #798: Bump actions/checkout to 4 from 3.
  • #802: Minor tweaks of updating an incorrect URL and adding names to steps.
  • #803: Builds against PHP 8.3 can no longer fail, but 8.4 can.
  • #818: Add workaround for intermittent apt-get update issue.
• Composer:
  • #805: Raise minimum version for better PHP 8.2 support.
  • #805: Up the minimum PHPCSExtra version to 1.2.1.
  • #821: Up the minimum PHPCSUtils version to 1.0.11.
  • #821: Up the minimum PHPCS version to 3.9.2.
  • #821: Up the minimum WPCS version to 3.1.0.
  • #821: Up the minimum PHPCSVariableAnalysis version to 2.11.18.
• Docs:
  • #805: Update references to PHPCS under PHPCSStandards, as squizlabs version is abandoned.
  • #808: Update Composer installation instructions.
  • #811: Update old URLs.
• #809: Unit tests: Allow for PHPUnit 8 and 9.

Commits

• 2b1d206 Merge pull request #822 from Automattic/develop
• 9e91528 Merge pull request #820 from Automattic/3.0.1/changelog
• 65ef15a Add changelog for 3.0.1 release
• 627c179 Merge pull request #821 from Automattic/3.0.1/update-dependencies
• b14551f Update dependencies per https://github.com/Automattic/VIP-Coding-Standards/pu...
• 463dc53 Merge pull request #818 from Automattic/feature/ghactions-xmllint-bypass-apt-...
• f60ed12 GH Actions: work around intermittent apt-get errors
• 7d3768c Merge pull request #817 from Automattic/deprecate/get_page_by_path
• ab56662 Deprecate suggesting using wpcom_vip_get_page_by_path
• 8687674 Merge pull request #815 from Automattic/dependabot/github_actions/ramsey/comp...
• Additional commits viewable in compare view

[github-actions]

Composer package changes

Dev Packages	Operation	Base	Target
automattic/vipwpcs	Upgraded	3.0.0	3.0.1
phpcompatibility/phpcompatibility-paragonie	Upgraded	1.3.2	1.3.4
phpcompatibility/phpcompatibility-wp	Upgraded	2.1.4	2.1.8
phpcsstandards/phpcsextra	Upgraded	1.2.1	1.5.0
phpcsstandards/phpcsutils	Upgraded	1.0.9	1.2.2
sirbrillig/phpcs-variable-analysis	Upgraded	v2.11.17	v2.13.0
squizlabs/php_codesniffer	Upgraded	3.9.0	3.13.5
wp-coding-standards/wpcs	Upgraded	3.0.1	3.3.0