search

pronamic / wp-pronamic-pay

The Pronamic Pay plugin allows you to easily accept payments with payment methods like credit card, iDEAL, Bancontact and Sofort through a variety of payment providers on your WordPress website.
https://pronamicpay.com
34 stars 14 forks source link

Investigating use of PHP-Scoper #342

Closed remcotolsma closed 1 year ago

remcotolsma commented 1 year ago

Tmeister 9:22 PM Hi, I have a plugin on the repo where I use the Firebase\JWT package (last version) loaded via composer, and there is another plugin (https://wordpress.org/plugins/the-events-calendar/) that uses the same package, but they use an old version. Due to the way WP loads the plugins, my plugin dependencies load after theirs. Obviously, the old version is used; there are breaking changes between versions, and my plugin functionality gets broken. How can I handle this? I think the only way is to ask the other plugin developer to update the outdated dependency, right? BTW, the other plugin version uses a version with a vulnerability https://github.com/advisories/GHSA-8xf4-w7qw-pjjw

ipstenu :dotted_line_face: 9:27 PM A couple things going on… We know there’s a vulnerability, all plugins with the old version should have been notified and given time to update. We loop back in ‘quiet’ time… So December :confused: (before you ask: the reason is that people like to argue about the importance of updating making it a trying and draining experience to repeat, over and over, please upgrade your ding dang library! So if you have a secret way to knock the heads of everyone and get them to wake up, I’d love to know it!) Yeah, composer and multiple versions sucks. Remind the other plugin “You have a vulernability, please update!!!” and maybe see if Composer or your code can detect the out of date version and warn people :confused:

Tmeister 9:36 PM Thank you ipstenu; I'll ping the other dev; meanwhile, I will add a known issue in my readme file.

yani :plugins: 9:51 PM Use a distinct namespace that will not interfere with other plugins. You can achieve this easily with PHP-Scoper

As far as i know this is not easy, but maybe it's easier nowadays.

remcotolsma commented 1 year ago

clorith 9:49 AM replied to a thread: Use a distinct namespace that will not interfere with other plugins. You can achieve this easily with PHP-Scoper This :point_up: I'd be so bold as to say any plugin or theme that uses composer packages should use this as a requirement, since WP by it self is not in composer, so you can't share assets reliably between plugins or themes.

💯