chore(deps): update composer (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
squizlabs/php_codesniffer	^3.7 → ^4.0
wp-coding-standards/wpcs	^2.3 → ^3.0

---

Release Notes

PHPCSStandards/PHP_CodeSniffer (squizlabs/php_codesniffer)

v4.0.1: - 2025-11-10

Compare Source

This release includes all improvements and bugfixes from PHP_CodeSniffer 3.13.5.

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• The Squiz.ControlStructures.SwitchDeclaration sniff will now flag a PHP close tag as a "wrong opener" and will auto-fix this by inserting a colon. #​1316
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• 4.x regression #​1277: bring back whitespace tolerance in phpcs:ignore comma-separated rule reference lists.
  • Note: this bug did not affect phpcs:disable/phpcs:enable ignore annotations.
• Fixed bug #​968: Generic.WhiteSpace.ScopeIndent was reporting false positives - and making incorrect fixes - for lines following a line containing an arrow function.
  • Thanks to Soichi Sato for the patch.
• Fixed bug #​1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #​1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
• Fixed bug #​1315: Squiz.ControlStructures.SwitchDeclaration: a number of the fixers would get into fixer conflicts with each other if the code under scan contained multiple statements on a line within a switch.
  • The sniff will now forbid - and auto-fix - multiple statements on one line for case/default and "case breaking" statements.
• Fixed bug #​1316: Tokenizer/PHP: a PHP close tag after a switch case condition or after a default keyword, was not regarded as a "scope_opener" for the case/default body.
• Fixed bug #​1316: PSR2.ControlStructures.SwitchDeclaration: the WrongOpener error is now also auto-fixable if the wrong opener is a PHP close tag.
• Fixed bug #​1316: Squiz.PHP.NonExecutableCode would throw false positives when code within a switch control structure would move in and out of PHP.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​andrewnicols, @​Soh1121

Statistics

Closed: 2 issues
Merged: 8 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v4.0.0: - 2025-09-16

Compare Source

This release contains breaking changes.

Upgrade guides for both ruleset maintainers/end-users, as well as for sniff developers and integrators, have been published to the Wiki.

You are strongly encouraged to read the upgrade guide applicable to your situation before upgrading.

This release includes all improvements and bugfixes from PHP_CodeSniffer 4.0.0-beta1, 4.0.0-RC1, 3.13.3 and 3.13.4.

Changed

• Tokenizer/PHP: fully qualified exit/die/true/false/null will be tokenized as the keyword token and the token 'content' will include the leading backslash. #​1201
• Wherever possible based on the PHP 7.2 minimum version, parameter types have been added to all methods. #​1237
• The supported PHPUnit version constraints have been updated to ^8.4.0 || ^9.3.4 || ^10.5.32 || 11.3.3 - 11.5.28 || ^11.5.31. #​1247
  • External standards using the PHP_CodeSniffer native framework may need to update their own PHPUnit version constraints.
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• Fixed bug #​1082: new exit codes weren't applied when running phpcbf on code provided via STDIN.
  • Thanks to Dan Wallis for the patch.
• Fixed bug #​1172: // phpcs:set for inline array properties did not handle a single item array with the value true, false or null correctly.
• Fixed bug #​1174: progress bar wasn't showing files as fixed when running phpcbf in parallel mode.
• Fixed bug #​1226: PHP 8.5 "Using null as an array offset" deprecation notice.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

Statistics

Closed: 5 issues
Merged: 35 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.5: - 2025-11-04

Compare Source

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to Rodrigo Primo and Juliette Reinders Folmer for their contributions.

Fixed

• Fixed bug #​1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #​1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​andrewnicols

Statistics

Closed: 2 issues
Merged: 36 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.4: - 2025-09-05

Compare Source

Fixed

• Fixed bug #​1213: ability to run tests for external standards using the PHPCS native test framework was broken.
  • Thanks to Juliette Reinders Folmer for the patch.
• Fixed bug #​1215: PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Juliette Reinders Folmer for the patch.

Statistics

Closed: 0 issues
Merged: 3 pull requests

If you like to stay informed about releases and more, follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.3: - 2025-09-04

Compare Source

Added

• Tokenizer support for PHP 8.4 dereferencing of new expressions without wrapping parentheses. #​1160
  • Thanks to Juliette Reinders Folmer for the patch.
• Tokenizer support for PHP 8.4 abstract properties. #​1183
  • The File::getMemberProperties() method now also supports abstract properties through a new is_abstract array index in the return value. #​1184
  • Additionally, the following sniffs have been updated to support abstract properties:
    • Generic.PHP.LowerCaseConstant #​1185
    • Generic.PHP.UpperCaseConstant #​1185
    • PSR2.Classes.PropertyDeclaration #​1188
    • Squiz.Commenting.VariableComment #​1186
    • Squiz.WhiteSpace.MemberVarSpacing #​1187
  • Thanks to Juliette Reinders Folmer for the patches
• Tokenizer support for the PHP 8.4 "exit as a function call" change. #​1201
  • When exit/die is used as a fully qualified "function call", it will now be tokenized as T_NS_SEPARATOR + T_EXIT.
  • Additionally, the following sniff has been updated to handle fully qualified exit/die correctly:
    • Squiz.PHP.NonExecutableCode
  • Thanks to Juliette Reinders Folmer for the patches

Changed

• Tokenizer/PHP: fully qualified true/false/null will now be tokenized as T_NS_SEPARATOR + T_TRUE/T_FALSE/T_NULL. #​1201
  • Previously, these were tokenized as T_NS_SEPARATOR + T_STRING.
  • Additionally, the following sniffs have been updated to handle fully qualified true/false/null correctly:
    • Generic.CodeAnalysis.UnconditionalIfStatement
    • Generic.ControlStructures.DisallowYodaConditions
    • PEAR.Functions.ValidDefaultValue
  • Thanks to Juliette Reinders Folmer for the patches.
• Generic.PHP.Syntax: the sniff is now able to scan input provided via STDIN on non-Windows OSes. #​915
  • Thanks to Rodrigo Primo for the patch.
• PSR2.ControlStructures.SwitchDeclaration: the WrongOpener* error code is now auto-fixable if the identified "wrong opener" is a semi-colon. #​1161
  • Thanks to Juliette Reinders Folmer for the patch.
• The PSR2.Classes.PropertyDeclaration will now check that the abstract modifier keyword is placed before a visibility keyword. #​1188
  • Errors will be reported via a new AbstractAfterVisibility error code.
  • Thanks to Juliette Reinders Folmer for the patch.
• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to Bernhard Zwein, Rick Kerkhof, Rodrigo Primo and Juliette Reinders Folmer for their contributions.

Fixed

• Fixed bug #​1112 : --parallel option fails if PHP_CodeSniffer is invoked via bash and the invokation creates a non-PHPCS-managed process.
  • Thanks to Rick Kerkhof for the patch.
• Fixed bug #​1113 : fatal error when the specified "files to scan" would result in the same file being added multiple times to the queue.
  • This error only occured when --parallel scanning was enabled.
  • Thanks to Rodrigo Primo for the patch.
• Fixed bug #​1154 : PEAR.WhiteSpace.ObjectOperatorIndent: false positive when checking multiple chained method calls in a multidimensional array.
  • Thanks to Rodrigo Primo for the patch.
• Fixed bug #​1193 : edge case inconsistency in how empty string array keys for sniff properties are handled.
  • Thanks to Rodrigo Primo and Juliette Reinders Folmer for the patch.
• Fixed bug #​1197 : Squiz.Commenting.FunctionComment: return types containing a class name with underscores would be truncated leading to incorrect results.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• The Wiki documentation is now publicly editable. 🎉
  • Update proposals can be submittted by opening a pull request in the PHPCSStandards/PHP_CodeSniffer-documentation repository.
    Contributions welcome !
  • Thanks to Anna Filina, Dan Wallis and Juliette Reinders Folmer for their work on getting this set up.
• The Phar website has had a facelift. #​107
  • Thanks to Bernhard Zwein for making this happen!

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​benno5020, @​NanoSector

Statistics

Closed: 11 issues
Merged: 40 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

WordPress/WordPress-Coding-Standards (wp-coding-standards/wpcs)

v3.3.0

Compare Source

Added

• Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props [@​rodrigoprimo]. #​2559
• Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #​2563
• WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #​2646

Changed

• The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #​2614
• The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #​2630
• The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #​2646
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #​2656
• WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #​2654
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #​2652
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #​2652
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #​2652
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #​2652
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props [@​rodrigoprimo]. #​2642
• README: updated testVersion recommendations for PHPCompatibility. Props [@​johnjago]. #​2471
• Example ruleset: updated the minimum_wp_version and testVersion recommendations. #​2608
• All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #​2649
• Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo].

Deprecated

• The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #​2616

Removed

• wp_kses_allowed_html() from the list of escaping functions. #​2566
  This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props [@​rodrigoprimo]. #​2613
• WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props [@​rodrigoprimo]. #​2615
• WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props [@​rodrigoprimo]. #​2570
• WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props [@​rodrigoprimo]. #​2569
• WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props [@​rodrigoprimo]. #​2605
• WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props [@​rodrigoprimo]. #​2572
• WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #​2573
• WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props [@​rodrigoprimo]. #​2630

v3.2.0

Compare Source

Added

• New WordPress.WP.GetMetaSingle sniff to the WordPress-Extra ruleset. Props [@​rodrigoprimo]! #​2465
  This sniff warns when get_*_meta() and get_metadata*() functions are used with the $meta_key/$key param, but without the $single parameter as this could lead to unexpected behavior due to the different return types.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.Strings.UnnecessaryHeredoc and Generic.WhiteSpace.HereNowdocIdentifierSpacing. #​2534
• The rest_sanitize_boolean() functions to the list of known "sanitizing" functions. Props [@​westonruter]. #​2530
• End-user documentation to the following existing sniffs: WordPress.DB.PreparedSQL (props [@​jaymcp], #​2454), WordPress.NamingConventions.ValidFunctionName (props [@​richardkorthuis] and [@​rodrigoprimo], #​2452, #​2531), WordPress.NamingConventions.ValidVariableName (props [@​richardkorthuis], #​2457), WordPress.PHP.DontExtract (props [@​aiolachiara], #​2456).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

• The minimum required PHP_CodeSniffer version to 3.13.0 (was 3.9.0). #​2532
• The minimum required PHPCSUtils version to 1.1.0 (was 1.0.10). #​2532
• The minimum required PHPCSExtra version to 1.4.0 (was 1.2.1). #​2532
• Sniffs based on the AbstractFunctionParameterSniff will now call a dedicated process_first_class_callable() method for PHP 8.1+ first class callables. Props [@​rodrigoprimo], [@​jrfnl]. #​2518, #​2544
  By default, the method won't do anything, but individual sniffs extending the AbstractFunctionParameterSniff class can choose to implement the method to handle first class callables.
  Previously, first class callables were treated as a function call without parameters and would trigger the process_no_parameters() method.
• The minimum required prefix length for the WordPress.NamingConventions.PrefixAllGlobals sniff has been changed from 3 to 4 characters. Props [@​davidperezgar]. #​2479
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.5. #​2553
• WordPress.NamingConventions.ValidVariableName now allows for PHP 8.4 properties in interfaces. #​2532
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.Capabilities has been updated to recognize new capabilities introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.8.1. #​2537
• WordPress.WP.DeprecatedParameterValues now detects parameter values deprecated in WordPress up to WP 6.8.1. #​2537
• Minor performance improvements.
• Developer happiness: prevent creating a composer.lock file. Thanks [@​fredden]! #​2443
• Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo] and [@​szepeviktor].
• All sniffs are now also being tested against PHP 8.4 for consistent sniff results. #​2511

Deprecated

Removed

• The Generic.Functions.CallTimePassByReference has been removed from the WordPress-Extra ruleset. Props [@​rodrigoprimo]. #​2536
  This sniff was dated anyway and deprecated in PHP_CodeSniffer. If you need to check if your code is PHP cross-version compatible, use the [PHPCompatibility] standard instead.

Fixed

• Sniffs based on the AbstractClassRestrictionsSniff could previously run into a PHPCS Internal.Exception, leading to fixes not being made. #​2500
• Sniffs based on the AbstractFunctionParameterSniff will now bow out more often when it is sure the code under scan is not calling the target function and during live coding, preventing false positives. Props [@​rodrigoprimo]. #​2518

v3.1.0

Compare Source

Added

• WordPress-Core ruleset: now includes the Universal.PHP.LowercasePHPTag sniff.
• WordPress-Extra ruleset: now includes the Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence and the Universal.CodeAnalysis.NoDoubleNegative sniffs.
• The sanitize_locale_name() function to the list of known "escaping" functions. Props [@​Chouby]
• The sanitize_locale_name() function to the list of known "sanitize & unslash" functions. Props [@​Chouby]

Changed

• The minimum required PHP_CodeSniffer version to 3.9.0 (was 3.7.2).
• The minimum required PHPCSUtils version to 1.0.10 (was 1.0.8).
• The minimum required PHPCSExtra version to 1.2.1 (was 1.1.0).
  Please ensure you run composer update wp-coding-standards/wpcs --with-dependencies to benefit from these updates.
• Core ruleset: the spacing after the use keyword for closure use statements will now consistently be checked. Props [@​westonruter] for reporting.
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.2.
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP 6.4 and 6.5.
• WordPress.NamingConventions.ValidPostTypeSlug has been updated to recognize reserved post types introduced in WP 6.4 and 6.5.
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP 6.4 and 6.5.
• WordPress.WP.DeprecatedClasses now detects classes deprecated in WordPress up to WP 6.5.
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.5.
• The IsUnitTestTrait will now recognize classes which extend the new WP Core WP_Font_Face_UnitTestCase class as test classes.
• The test suite can now run on PHPUnit 4.x - 9.x (was 4.x - 7.x), which should make contributing more straight forward.
• Various housekeeping, includes a contribution from [@​rodrigoprimo].

Fixed

• WordPress.WP.PostsPerPage could potentially result in an Internal.Exception when encountering a query string which doesn't include the value for posts_per_page in the query string. Props [@​anomiex] for reporting.

v3.0.1

Compare Source

Added

• In WordPressCS 3.0.0, the functionality of the WordPress.Security.EscapeOutput sniff was updated to report unescaped message parameters passed to exceptions created in throw statements. This specific violation now has a separate error code: ExceptionNotEscaped. This will allow users to ignore or exclude that specific error code. Props [@​anomiex].
  The error code(s) for other escaping issues flagged by the sniff remain unchanged.

Changed

• Updated the CI workflow to test the example ruleset for issues.
• Funding files and updates in the Readme about funding the project.

Fixed

• Fixed a sniff name in the phpcs.xml.dist.sample file (case-sensitive sniff name). Props [@​dawidurbanski].

v3.0.0

Compare Source

Important information about this release:

At long last... WordPressCS 3.0.0 is here.

This is an important release which makes significant changes to improve the accuracy, performance, stability and maintainability of all sniffs, as well as making WordPressCS much better at handling modern PHP.

WordPressCS 3.0.0 contains breaking changes, both for people using ignore annotations, people maintaining custom rulesets, as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

If you are an end-user or maintain a custom WordPressCS based ruleset, please start by reading the Upgrade Guide to WordPressCS 3.0.0 for end-users which lists the most important changes and contains a step by step guide for upgrading.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WordPressCS sniffs, please read the Upgrade Guide to WordPressCS 3.0.0 for Developers.

In all cases, please read the complete changelog carefully before you upgrade.

Added

• Dependencies on the following packages: PHPCSUtils, PHPCSExtra and the [Composer PHPCS plugin].
• A best effort has been made to add support for the new PHP syntaxes/features to all WordPressCS native sniffs and utility functions (or to verify/improve existing support).
  While support in external sniffs used by WordPressCS has not be exhaustively verified, a lot of work has been done to try and add support for new PHP syntaxes to those as well.
  WordPressCS native sniffs and utilities have received fixes for the following syntaxes:
  • PHP 7.2
    • Keyed lists.
  • PHP 7.3
    • Flexible heredoc/nowdoc (providing the PHPCS scan is run on PHP 7.3 or higher).
    • Trailing commas in function calls.
  • PHP 7.4
    • Arrow functions.
    • Array unpacking in array expressions.
    • Numeric literals with underscores.
    • Typed properties.
    • Null coalesce equals operator.
  • PHP 8.0
    • Nullsafe object operators.
    • Match expressions.
    • Named arguments in function calls.
    • Attributes.
    • Union types // including supporting the false and null types.
    • Constructor property promotion.
    • $object::class
    • Throw as an expression.
  • PHP 8.1
    • Enumerations.
    • Explicit octal notation.
    • Final class constants
    • First class callables.
    • Intersection types.
  • PHP 8.2
    • Constants in traits.
• New WordPress.CodeAnalysis.AssignmentInTernaryCondition sniff to the WordPress-Core ruleset which partially replaces the removed WordPress.CodeAnalysis.AssignmentInCondition sniff.
• New WordPress.WhiteSpace.ObjectOperatorSpacing sniff which replaces the use of the Squiz.WhiteSpace.ObjectOperatorSpacing sniff in the WordPress-Core ruleset.
• New WordPress.WP.ClassNameCase sniff to the WordPress-Core ruleset, to check that any class name references to WP native classes and classes from external dependencies use the case of the class as per the class declaration.
• New WordPress.WP.Capabilities sniff to the WordPress-Extra ruleset. This sniff checks that valid capabilities are used, not roles or user levels. Props, amongst others, to [@​grappler] and [@​khacoder].
  Custom capabilities can be added to the sniff via a custom_capabilities ruleset property.
  The sniff also supports the minimum_wp_version property to allow the sniff to accurately determine how the use of deprecated capabilities should be flagged.
• The WordPress.WP.CapitalPDangit sniff contains a new check to verify the correct spelling of WordPress in namespace names.
• The WordPress.WP.I18n sniff contains a new EmptyTextDomain error code for an empty text string being passed as the text domain, which overrules the default value of the parameter and renders a text untranslatable.
• The WordPress.DB.PreparedSQLPlaceholders sniff has been expanded with additional checks for the correct use of the %i placeholder, which was introduced in WP 6.2. Props [@​craigfrancis].
  The sniff now also supports the minimum_wp_version ruleset property to determine whether the %i placeholder can be used.
• WordPress-Core: the following additional sniffs (or select error codes from these sniffs) have been added to the ruleset: Generic.CodeAnalysis.AssignmentInCondition, Generic.CodeAnalysis.EmptyPHPStatement (replaces the WordPressCS native sniff), Generic.VersionControl.GitMergeConflict, Generic.WhiteSpace.IncrementDecrementSpacing, Generic.WhiteSpace.LanguageConstructSpacing, Generic.WhiteSpace.SpreadOperatorSpacingAfter, PSR2.Classes.ClassDeclaration, PSR2.Methods.FunctionClosingBrace, PSR12.Classes.ClassInstantiation, PSR12.Files.FileHeader (select error codes only), PSR12.Functions.NullableTypeDeclaration, PSR12.Functions.ReturnTypeDeclaration, PSR12.Traits.UseDeclaration, Squiz.Functions.MultiLineFunctionDeclaration (replaces part of the WordPress.WhiteSpace.ControlStructureSpacing sniff), Modernize.FunctionCalls.Dirname, NormalizedArrays.Arrays.ArrayBraceSpacing (replaces part of the WordPress.Arrays.ArrayDeclarationSpacing sniff), NormalizedArrays.Arrays.CommaAfterLast (replaces the WordPressCS native sniff), Universal.Classes.ModifierKeywordOrder, Universal.Classes.RequireAnonClassParentheses, Universal.Constants.LowercaseClassResolutionKeyword, Universal.Constants.ModifierKeywordOrder, Universal.Constants.UppercaseMagicConstants, Universal.Namespaces.DisallowCurlyBraceSyntax, Universal.Namespaces.DisallowDeclarationWithoutName, Universal.Namespaces.OneDeclarationPerFile, Universal.NamingConventions.NoReservedKeywordParameterNames, Universal.Operators.DisallowShortTernary (replaces the WordPressCS native sniff), Universal.Operators.DisallowStandalonePostIncrementDecrement, Universal.Operators.StrictComparisons (replaces the WordPressCS native sniff), Universal.Operators.TypeSeparatorSpacing, Universal.UseStatements.DisallowMixedGroupUse, Universal.UseStatements.KeywordSpacing, Universal.UseStatements.LowercaseFunctionConst, Universal.UseStatements.NoLeadingBackslash, Universal.UseStatements.NoUselessAliases, Universal.WhiteSpace.CommaSpacing, Universal.WhiteSpace.DisallowInlineTabs (replaces the WordPressCS native sniff), Universal.WhiteSpace.PrecisionAlignment (replaces the WordPressCS native sniff), Universal.WhiteSpace.AnonClassKeywordSpacing.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.CodeAnalysis.UnusedFunctionParameter, Universal.Arrays.DuplicateArrayKey, Universal.CodeAnalysis.ConstructorDestructorReturn, Universal.CodeAnalysis.ForeachUniqueAssignment, Universal.CodeAnalysis.NoEchoSprintf, Universal.CodeAnalysis.StaticInFinalClass, Universal.ControlStructures.DisallowLonelyIf, Universal.Files.SeparateFunctionsFromOO.
• WordPress.Utils.I18nTextDomainFixer: the load_script_textdomain() function to the functions the sniff looks for.
• WordPress.WP.AlternativeFunctions: the following PHP native functions have been added to the sniff and will now be flagged when used: unlink() (in a new unlink group) , rename() (in a new rename group), chgrp(), chmod(), chown(), is_writable() is_writeable(), mkdir(), rmdir(), touch(), fputs() (in the existing file_system_operations group, which was previously named file_system_read). Props [@​sandeshjangam] and [@​JDGrimes].
• The PHPUnit_Adapter_TestCase class to the list of "known test (case) classes".
• The antispambot() function to the list of known "formatting" functions.
• The esc_xml() and wp_kses_one_attr() functions to the list of known "escaping" functions.
• The wp_timezone_choice() and wp_readonly() functions to the list of known "auto escaping" functions.
• The sanitize_url() and wp_kses_one_attr() functions to the list of known "sanitizing" functions.
• Metrics for blank lines at the start/end of a control structure body to the WordPress.WhiteSpace.ControlStructureSpacing sniff. These can be displayed using --report=info when the blank_line_check property has been set to true.
• End-user documentation to the following new and pre-existing sniffs: WordPress.DateTime.RestrictedFunctions, WordPress.NamingConventions.PrefixAllGlobals (props [@​Ipstenu]), WordPress.PHP.StrictInArray (props [@​marconmartins]), WordPress.PHP.YodaConditions (props [@​Ipstenu]), WordPress.WhiteSpace.ControlStructureSpacing (props [@​ckanitz]), WordPress.WhiteSpace.ObjectOperatorSpacing, WordPress.WhiteSpace.OperatorSpacing (props [@​ckanitz]), WordPress.WP.CapitalPDangit (props [@​NielsdeBlaauw]), WordPress.WP.Capabilities, WordPress.WP.ClassNameCase, WordPress.WP.EnqueueResourceParameters (props [@​NielsdeBlaauw]).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.
  Note: all sniffs which have been added from PHPCSExtra (Universal, Modernize, NormalizedArrays sniffs) are also fully documented.

Added (internal/dev-only)

• New Helper classes:
  • ArrayWalkingFunctionsHelper
  • ConstantsHelper *
  • ContextHelper *
  • DeprecationHelper *
  • FormattingFunctionsHelper
  • ListHelper *
  • RulesetPropertyHelper *
  • SnakeCaseHelper *
  • UnslashingFunctionsHelper
  • ValidationHelper
  • VariableHelper *
  • WPGlobalVariablesHelper
  • WPHookHelper
• New Helper traits:
  • EscapingFunctionsTrait
  • IsUnitTestTrait
  • MinimumWPVersionTrait
  • PrintingFunctionsTrait
  • SanitizationHelperTrait *
  • WPDBTrait

These classes and traits mostly contain pre-existing functionality moved from the Sniff class.
The classes marked with an * are considered internal and do not have any promise of future backward compatibility.

More information is available in the Upgrade Guide to WordPressCS 3.0.0 for Developers.

Changed

• As of this version, installation via Composer is the only supported manner of installation.
  Installing in a different manner (git clone/PEAR/PHAR) is still possible, but no longer supported.
• The minimum required PHP_CodeSniffer version to 3.7.2 (was 3.3.1).
• Composer: the package will now identify itself as a static analysis tool.
• The PHP filter, libxml and XMLReader extensions are now explicitly required.
  It is recommended to also have the Mbstring and iconv extensions enabled for the most accurate results.
• The release branch has been renamed from master to main.
• The following sniffs have been moved from WordPress-Extra to WordPress-Core: the Generic.Files.OneObjectStructurePerFile (also changed from warning to error),
  Generic.PHP.BacktickOperator, PEAR.Files.IncludingFile, PSR2.Classes.PropertyDeclaration, PSR2.Methods.MethodDeclaration, Squiz.Scope.MethodScope, Squiz.WhiteSpace.ScopeKeywordSpacing sniffs. Props, amongst others, to [@​desrosj].
• WordPress-Core: The Generic.Arrays.DisallowShortArraySyntax sniff has been replaced by the Universal.Arrays.DisallowShortArraySyntax sniff.
  The new sniff will recognize short lists correctly and ignore them.
• WordPress-Core: The Generic.Files.EndFileNewline sniff has been replaced by the more comprehensive PSR2.Files.EndFileNewline sniff.
• A number of sniffs support setting the minimum WP version for the code being scanned.
  This could be done in two different ways:
  1. By setting the minimum_supported_version property for each sniff from a ruleset.
  2. By passing --runtime-set minimum_supported_wp_version #.# on the command line.
     The names of the property and the CLI setting have now been aligned to both use minimum_wp_version as the name.
     Both ways of passing the value are still supported.
• WordPress.NamingConventions.PrefixAllGlobals: the custom_test_class_whitelist property has been renamed to custom_test_classes.
• WordPress.NamingConventions.ValidVariableName: the customPropertiesWhitelist property has been renamed to allowed_custom_properties.
• WordPress.PHP.NoSilencedErrors: the custom_whitelist property has been renamed to customAllowedFunctionsList.
• WordPress.PHP.NoSilencedErrors: the use_default_whitelist property has been renamed to usePHPFunctionsList.
• WordPress.WP.GlobalVariablesOverride: the custom_test_class_whitelist property has been renamed to custom_test_classes.
• Sniffs are now able to handle fully qualified names for custom test classes provided via a custom_test_classes (previously custom_test_class_whitelist) ruleset property.
• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.0.
• WordPress.NamingConventions.PrefixAllGlobals now takes new pluggable constants into account as introduced in WordPress up to WP 6.3.
• WordPress.NamingConventions.ValidPostTypeSlug now takes new reserved post types into account as introduced in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedClasses now detects classes deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.3.
• WordPress.WP.DeprecatedParameterValues now detects parameter values deprecated in WordPress up to WP 6.3.
• WordPress.Utils.I18nTextDomainFixer: the lists of recognized plugin and theme header tags has been updated based on the current information in the plugin and theme handbooks.
• WordPress.WP.AlternativeFunctions: the "group" name file_system_read, which can be used with the exclude property, has been renamed to file_system_operations.
  This also means that the error codes for individual functions flagged via that group have changed from WordPress.WP.AlternativeFunctions.file_system_read_* to WordPress.WP.AlternativeFunctions.file_system_operations_*.
• WordPress.WP.CapitalPDangit: the Misspelled error code has been split into two error codes - MisspelledInText and MisspelledInComment - to allow for more modular exclusions/selectively turning off the auto-fixer for the sniff.
• WordPress.WP.I18n no longer throws both the MissingSingularPlaceholder and the MismatchedPlaceholders for the same code, as the errors have an overlap.
• WordPress-Core: previously only the spacing around commas in arrays, function declarations and function calls was checked. Now, the spacing around commas will be checked in all contexts.
• WordPress.Arrays.ArrayKeySpacingRestrictions: a new SpacesBetweenBrackets error code has been introduced for the spacing between square brackets for array assignments without key. Previously, this would throw a NoSpacesAroundArrayKeys error with an unclear error message.
• WordPress.Files.FileName now recognizes more word separators, meaning that files using other word separators than underscores will now be flagged for not using hyphenation.
• WordPress.Files.FileName now checks if a file contains a test class and if so, will bow out.
  This change was made to prevent issues with PHPUnit 9.1+, which strongly prefers PSR4-style file names.
  Whether something is test class or not is based on a pre-defined list of "known" test case classes which can be extended and, optionally, a list of user provided test case classes provided via setting the custom_test_classes property in a custom ruleset or the complete test directory can be excluded via a custom ruleset.
• WordPress.NamingConventions.PrefixAllGlobals now allows for pluggable functions and classes, which should not be prefixed when "plugged".
• WordPress.PHP.NoSilencedErrors: the metric, which displays in the info report, has been renamed from "whitelisted function call" to "silencing allowed function call".
• WordPress.Security.EscapeOutput now flags the use of get_search_query( false ) when generating output (as the false turns off the escaping).
• WordPress.Security.EscapeOutput now also examines parameters passed for exception creation in throw statements and expressions for correct escaping.
• WordPress.Security.ValidatedSanitizedInput now examines all superglobal (except for $GLOBALS). Previously, the $_SESSION and $_ENV superglobals would not be flagged as needing validation/sanitization.
• WordPress.WP.I18n now recognizes the new PHP 8.0+ h and H type specifiers.
• WordPress.WP.PostsPerPage has improved recognition for numbers prefixed with a unary operator and non-decimal numbers.
• WordPress.DB.PreparedSQL will identify more precisely the code which is problematic.
• WordPress.DB.PreparedSQLPlaceholders will identify more precisely the code which is problematic.
• WordPress.DB.SlowDBQuery will identify more precisely the code which is problematic.
• WordPress.Security.PluginMenuSlug: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.DiscouragedConstants: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.EnqueuedResourceParameters: the error will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will now be thrown on a different line.
• WordPress.WP.I18n: the errors will now be thrown more precisely on the code which triggered the error. Depending on code layout, this may mean that an error will

---

Configuration

📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 04:00 PM through 08:59 PM ( * 0-4,16-20 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update squizlabs/php_codesniffer:4.0.1 wp-coding-standards/wpcs:3.3.0 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires wp-coding-standards/wpcs ^3.0 -> satisfiable by wp-coding-standards/wpcs[3.3.0].
    - wp-coding-standards/wpcs 3.3.0 requires squizlabs/php_codesniffer ^3.13.4 -> found squizlabs/php_codesniffer[3.13.4, 3.13.5, 3.x-dev] but it conflicts with your root composer.json require (^4.0).

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.