chore(deps-dev)(deps-dev): bump yoast/phpunit-polyfills from 2.0.5 to 4.0.0#1237
Open
dependabot[bot] wants to merge 42 commits into
Open
chore(deps-dev)(deps-dev): bump yoast/phpunit-polyfills from 2.0.5 to 4.0.0#1237dependabot[bot] wants to merge 42 commits into
dependabot[bot] wants to merge 42 commits into
Conversation
Bumps [yoast/phpunit-polyfills](https://github.com/Yoast/PHPUnit-Polyfills) from 2.0.5 to 4.0.0. - [Release notes](https://github.com/Yoast/PHPUnit-Polyfills/releases) - [Changelog](https://github.com/Yoast/PHPUnit-Polyfills/blob/4.x/CHANGELOG.md) - [Commits](Yoast/PHPUnit-Polyfills@2.0.5...4.0.0) --- updated-dependencies: - dependency-name: yoast/phpunit-polyfills dependency-version: 4.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
The selector validation added for issue #993 used native querySelector, which rejects digit-leading class names (.2026-selector) per the CSS spec. jQuery's engine performs the actual click-trigger matching and has always accepted them, so fall back to it before rejecting a selector. Malformed selectors (unbalanced quotes/brackets) still fail both checks and are skipped with the console warning. Ref: https://wordpress.org/support/topic/extra-selectors-starting-with-a-number-no-longer-work/
Admin menu, page titles, list UI, and bulk-action notices used "Call to Actions"; the grammatically correct plural is "Calls to Action" (CTAs for the abbreviation). Ref: https://wordpress.org/support/topic/plural-of-call-to-action/
… restorable focus previouslyFocused is captured via $( ':focus' ), which never matches <body> (jQuery's matcher requires type/href/non-negative tabindex), so for auto-open popups the stored set was empty and pumAfterClose left post-close focus to browser defaults. Browsers generally drop focus to <body> themselves when the focused popup hides — verified in Chromium, where Tab already resumed from the top — so this usually behaved correctly by accident, but the outcome was implicit and environment-dependent rather than guaranteed. Per WCAG 2.4.3, focus still returns to the previously focused element when one exists and is visible. Otherwise it is now explicitly set on <body> via a temporary tabindex, making Tab-from-the-top deterministic, including when the prior element was removed or hidden while the popup was open. A tabindex already present on <body> is left untouched; the temporary attribute is only added and removed when body had none. Ref: https://wordpress.org/support/topic/closing-a-popup-should-move-focus-to-the-top-of-the-page/
force_ajax() attached the shortcode_atts_gravityforms filter on the popmake_popup_before_inner/after_inner template hooks, but since popup content preloading (1.21.0) the GF shortcode renders during preload_popup() at wp_enqueue_scripts:11 and the footer template only echoes the cached string — so the filter wrapped nothing and forms in popups rendered without AJAX. Full-page POSTs broke text confirmations and Form Submission triggers (thank-you popups never opened), while preload() still enqueued GF's ajax spinner scripts targeting an iframe that never existed. Sandwich the pum_popup_content pipeline (blocks at 9, shortcodes at 11) with the same filter at priorities 5/99 instead. Verified against GF on a local site: popup form gains target='gform_ajax_frame_N' + iframe, on-page instances of the same form remain non-AJAX. Ref: https://wordpress.org/support/topic/form-submission-thank-you-doesnt-appear-on-popup/
- Gravity Forms: esc_attr() the JSON settings attribute, store only whitelisted keys, and intersect known keys on read so poisoned option data cannot reach the render sink. - Assets: strip all *_license_key values from the currentSettings JS localization exposed to block-editor users. - Admin bar: scope the toolbar-action handler to #wpadminbar, use currentTarget, and require a strictly numeric popup ID.
Flip the pum_asset_cache_sslverify default to true so server-side asset fetches validate certificates. Still filterable for self-signed hosts.
- Pin only-allow to 1.2.2 in the preinstall guard. - Verify the strauss PHAR sha256 before executing it. - build-release.js: copy the versioned zip via fs (not a shell) and validate the tag-derived zip name, closing a command-injection sink.
- deploy-to-wordpress: always build from checked-out source instead of a mutable release zip, and force dry-run on any non-master ref. - deploy-readme-assets: gate to refs/heads/master with a pinned checkout. - build: pass user-controlled dispatch inputs via env instead of interpolating them into run scripts.
- Licensing: kses the remote license API error_message before it reaches the unescaped triple-mustache license template (stored XSS). - AdminBar: HTML-escape the computed selector before innerHTML in the Get Selector modal (DOM XSS from attacker-influenced page markup).
- Previews: require edit_post on the specific popup before force-loading a preview (shared preview nonce leaked draft/private popups to lower roles). - Settings::page: gate on manage_settings; reachable via the edit_posts Go Pro submenu and dumps all settings into inline JS. - PostTypes: map the full primitive-capability set for popup/theme/cta so every status stays behind the intended permission (editors could edit published). - RestAPI: require delete_post before trashing a CTA via the status field. - ObjectSearch: enforce the target post-type/taxonomy capability, not just the broad edit_posts gate. - CTA shortcode: only render published CTAs (was exposing non-public UUIDs). - Upsell: gate the integration notice on edit_popups (plugin enumeration). - Telemetry: require manage_settings before enabling telemetry opt-in.
…dering - CallToActions: force the pid tracking redirect same-site via wp_validate_redirect (open redirect); gate notrack on edit_popups; only act on published CTAs so a stale UUID cache can't keep a disabled CTA live. - KaliForms: type-check $_POST['data'] before decode (PHP 8 fatal) and validate pum_is_popup() before counting a conversion (forged popup IDs). - ACF: scope the non-public-post guard relaxation to the current popup's own ID so [acf post_id=<other private post>] can't read unrelated fields.
- AssetCache: canonicalize local asset paths with realpath and confirm they stay within WP_CONTENT_DIR/ABSPATH; reject stream wrappers. Stops directory traversal and file://phar:// reads being embedded into the public cache. - Debug: load the react-scan profiler from a pinned version over HTTPS with a Subresource Integrity hash instead of an unpinned protocol-relative CDN URL.
- bump-and-publish: validate npm names/versions and commit via execFileSync (no shell) so a malicious package manifest can't inject commands. - update-google-fonts: read the API key from GOOGLE_FONTS_API_KEY instead of a hard-coded key in source. - ci: fail the CI Summary gate when change-detection fails/cancels (skipped downstream jobs were counted as passes). - webpack: scope devServer allowedHosts instead of 'all' (DNS-rebinding). - .phpstorm.meta.php: bail at runtime to avoid a path-disclosing fatal on direct web access.
Monthly (and manual) job that refreshes includes/google-fonts.json from the Google Fonts API and opens a PR with any changes. Kept out of the release pipeline so releases stay reproducible and font-list changes stay reviewable. Uses the GOOGLE_FONTS_API_KEY repository secret.
refresh_license_status caught an exception and passed null into the array-typed update_license_status, and deactivate_license called it (and dereferenced ['license']) before its empty check — both fatal on an empty/error API body. Guard the callers so a transient failure no longer overwrites stored status, and make the setter defensively nullable.
… cta-buttons core/buttons is a container block; the transform only read the container's own attributes and created one empty core/button per selection, dropping the real inner button content. Clone the inner blocks through instead.
- icons/components: drop the module field that pointed at a nonexistent src/index.js (matches other packages; exports map is authoritative). - use-query-params: re-export ReactRouter6Adapter from the root and drop the malformed 'adapters' exports key; import it from the root in cta-admin. - types: define the previously-undefined IconType used by the Tab types. - block-library: add @popup-maker/icons to tsconfig paths/references. - block-editor: remove a stray token that broke the SCSS compile.
The importer files moved under includes/legacy/importer/ but the require paths still pointed at includes/importer/, so the admin Easy Modal import fatally failed.
build-release.js --output-dir only relocates the zip and cleanup removes the assembled tree, so the SVN deploy received a zip instead of the plugin files. Use --keep-build and copy the assembled ./popup-maker tree into BUILD_DIR.
The settings resolver dispatched SETTINGS_FETCH_ERROR even after a successful load, and both it and changeActionStatus dispatched fields at the top level while the reducer reads action.payload.* — throwing on the destructure. Wrap dispatches in payload and only report an error when settings actually failed to load.
…ded_popups current_popup() ignored its setter argument and get_loaded_popups() returned a plain array despite its documented WP_Query contract. Restore the legacy setter behavior and return a populated WP_Query so old callers don't break.
…oading The effect cleared url/linkTarget/rel whenever the CTA wasn't loaded yet, wiping the link during async resolution. Only clear once hasFinishedResolution is true and the CTA is genuinely absent.
…markup Blocks saved with the previous wp-block-buttons class had no deprecation and failed validation. Add a deprecation reproducing the old save output and migrating it forward.
The native editor referenced clientId before destructuring it and used several components (PanelBody, RichText, etc.) without importing them. Fix the ordering and add the missing imports. Native-only file; no web-build impact.
- Template::render guards extract() against non-array args. - get_post_type_labels casts labels to an array so the label helper can index it. - UpgradeStream::send_event normalizes scalar payloads (send_error passes strings). - Container::get_controller matches registration (Interfaces\Controller), so interface-only controllers are retrievable. - Drop the duplicate popmake_tag_args filter invocation. - Admin reset display reads the opens key (falls back to legacy views).
… conversion - url-search: return after a successful result instead of also dispatching error. - settings: guard the undeclared popupMakerCoreData global; apiPath returns the relative 'settings' so restBase isn't doubled into the namespace. - custom-fields: evaluate numeric field dependencies. - fields conversion: preserve object-selector args (post_type/taxonomy/object_key) and legacy html field content instead of dropping them.
…reviews - cta-button editor: create the CTA draft-first on save (via the 'new' editor id) instead of immediately publishing one on selection, so cancelling no longer leaves an orphaned published CTA. - Generate CTA URLs and block links using the filtered param names (localized via paramNames) instead of hardcoding cta/pid/notrack. - Add a cta-button deprecation for the previous wp-element-button markup. - Trigger preview reads the WP_Post-shaped localized popups (ID/post_title).
- Beaver Builder: type-check ajax settings.data (string/URLSearchParams/FormData) before parsing so non-string payloads don't throw. - Newsletter: always (re)attach the success observer, appending the hidden popup field only when absent. - pum-integrations: track non-AJAX conversions against the popup passed in args rather than the empty form-derived popup.
- Don't call onSave when saveEditorValues() reports failure. - Report a save as successful based on the action actually used (create vs update), so update success is no longer ignored. - Remove the duplicate beforeunload listener from the modal HOC (kept in with-data-store). - Only suppress the generic save notice when field-level notices were created, so validation errors can't be silently hidden. - Sort the CTA list by id/type/conversions/title explicitly. - REST stats schema declares 'conversions' to match the payload and sort key.
…ction The flat integration helper emits 'easy_digital_downloads' (derived from the label), but the Go Pro upsell only checked the legacy 'edd' key, so EDD-only sites weren't treated as having an ecommerce integration. Accept both keys.
omit() copied only the specified keys (behaving like pick), the inverse of its name and Omit<T,K> type. Return a shallow copy with those keys removed; update the characterization tests to assert the correct behavior.
…d UI guards - Block category icon points at assets/images/mark.svg (was 404ing). - License details show 'Deactivated' text for deactivated keys instead of always 'Active'. - New-install detection reads installed_on from popup_maker_version_info (the legacy pum_installed_on option is deleted after migration). - Guard the CTA type-filter label lookup against prototype keys from the URL. - Re-enable the upgrade button when connect-info validation fails.
- Base\Upgrade::stream() returns an anonymous class whose __call no-ops, so the fallback mock's methods are actually callable (a stdClass with closure properties fatals when called as methods). - Blocks::find_blocks honors the documented 'prefix/*' wildcard (and its own default of pum/*) instead of only exact-matching the literal string.
…wheel listener - load_plugin_textdomain gets a WP_PLUGIN_DIR-relative languages path, not an absolute one, so bundled translations load. - The package 'head' flag now maps to head placement (was inverted, sending head-flagged scripts to the footer). - _nx() wrapper matches WordPress's (single, plural, number, context, domain) signature instead of dropping the plural argument. - Select2 wheel listener is non-passive so its boundary preventDefault works.
PURGE compared numeric ids against string object keys (Object.entries), so byId, editedEntities, editHistory and editHistoryIndex kept purged records. Compare via a stringified id set; update the characterization tests to the correct behavior.
a2b72b7 removed the proven download-release-zip-and-extract path (the path all successful .org deploys used) in favor of build-from-source only, which had never run. Restore it as the primary path, keep the master-only dry-run guard, and keep the build-from-source fallback (now producing an unpacked tree, not a zip). Note: the mutable-release-asset concern that motivated the removal is real but modest (requires maintainer-level access, same as pushing to protected master); tracking integrity verification separately rather than dropping the working path.
…ller 955645e re-inlined the legacy WP_Query construction in the PUM_Site_Popups shim, undoing the refactor's controller delegation. Add get_loaded_popups_query() to the Frontend\Popups controller (which owns the shaping) and reduce the legacy method to a thin delegate that still populates the legacy static props for external readers.
- Introduced AGENTS.md to provide comprehensive guidance for Codex when working with the Popup Maker WordPress plugin, including project overview, quick start commands, architecture details, and extension APIs. - Added php-type-validator.toml for a specialized agent focused on validating PHPStan docblock types against actual code implementations, ensuring type accuracy and compliance. - Included phpstan-docblock-typer.toml for an agent dedicated to adding PHPStan-compliant docblocks to achieve higher compliance levels without modifying method implementations.
…uttons
Registers "Open Popup" as a Click Action option on Beaver Builder's Button
module (alongside Link, Button, Lightbox). Selecting it reveals a popup picker
and outputs the `popmake-{id}` class on the button, which Popup Maker's Click
Open trigger uses to open the popup — the same mechanism as the block editor
button and shortcodes.
The referenced popup is force-loaded on the page via maybe_preload_popup() so
it opens even when its own display conditions wouldn't otherwise match, while
still respecting the popup's enabled state. Preloading is skipped in the admin
and Beaver Builder editor. Popup options are labeled by post title.
Closes #607.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps yoast/phpunit-polyfills from 2.0.5 to 4.0.0.
Release notes
Sourced from yoast/phpunit-polyfills's releases.
... (truncated)
Changelog
Sourced from yoast/phpunit-polyfills's changelog.
... (truncated)
Commits
134921bMerge pull request #254 from Yoast/feature/4.x/changelog-v4.0.0467709fChangelog for the 4.0.0 release and other documentation updatesb7d234fMerge branch '3.x' into 4.x9cf2ccdMerge pull request #253 from Yoast/feature/3.x/changelog-v3.1.259bd807Changelog for the 3.1.2 release083d158Merge branch '3.x' into 4.x615cd5bMerge branch '2.x' into 3.x93c9b2dMerge branch '3.x' into 4.x47d6fb2Merge branch '2.x' into 3.xd2874f0Changelog for the 1.1.4 releaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)