Investigating use of PHP-Scoper

Tmeister 9:22 PM Hi, I have a plugin on the repo where I use the Firebase\JWT package (last version) loaded via composer, and there is another plugin (https://wordpress.org/plugins/the-events-calendar/) that uses the same package, but they use an old version. Due to the way WP loads the plugins, my plugin dependencies load after theirs. Obviously, the old version is used; there are breaking changes between versions, and my plugin functionality gets broken. How can I handle this? I think the only way is to ask the other plugin developer to update the outdated dependency, right? BTW, the other plugin version uses a version with a vulnerability https://github.com/advisories/GHSA-8xf4-w7qw-pjjw

ipstenu :dotted_line_face: 9:27 PM A couple things going on… We know there’s a vulnerability, all plugins with the old version should have been notified and given time to update. We loop back in ‘quiet’ time… So December :confused: (before you ask: the reason is that people like to argue about the importance of updating making it a trying and draining experience to repeat, over and over, please upgrade your ding dang library! So if you have a secret way to knock the heads of everyone and get them to wake up, I’d love to know it!) Yeah, composer and multiple versions sucks. Remind the other plugin “You have a vulernability, please update!!!” and maybe see if Composer or your code can detect the out of date version and warn people :confused:

Tmeister 9:36 PM Thank you ipstenu; I'll ping the other dev; meanwhile, I will add a known issue in my readme file.

yani :plugins: 9:51 PM Use a distinct namespace that will not interfere with other plugins. You can achieve this easily with PHP-Scoper

As far as i know this is not easy, but maybe it's easier nowadays.

pronamic / wp-pronamic-pay

Investigating use of PHP-Scoper #342