mather-sophi / sophi-for-wordpress Goto Github PK
View Code? Open in Web Editor NEWWordPress VIP-compatible plugin for the Sophi.io Site Automation service.
Home Page: https://sophi.io
License: GNU General Public License v2.0
WordPress VIP-compatible plugin for the Sophi.io Site Automation service.
Home Page: https://sophi.io
License: GNU General Public License v2.0
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/postcss-selector-matches/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-colormin/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-env-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-properties/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-empty/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-overridden/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-preset-env/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-lab-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-hex-alpha/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-font-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-url/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-page-break/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-media-minmax/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-place/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano-preset-default/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano-util-raw-cache/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-gray/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-has-pseudo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-logical/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/autoprefixer/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reduce-initial/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reduce-transforms/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-ordered-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-string/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-double-position-gradients/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-params/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint-declaration-use-variable/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-repeat-style/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-duplicates/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-blank-pseudo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-svgo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-gap-properties/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-merge-rules/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-rebeccapurple/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-convert-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-timing-functions/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-merge-longhand/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-replace-overflow-wrap/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-safe-parser/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-prefers-color-scheme/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-dir-pseudo-class/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-font-variant/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-calc/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-charset/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-editor-styles/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-display-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/sugarss/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-attribute-case-insensitive/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-less/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-nesting/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-gradients/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-sass/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-overflow-shorthand/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-unique-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-comments/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-image-set-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-scss/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-whitespace/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reporter/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylehacks/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/@10up/stylelint-config/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-sorting/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-selector-not/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-pseudo-class-any-link/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-focus-within/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-unicode/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-declaration-sorter/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-mod-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-media/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-positions/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-functional-notation/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-initial/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint-order/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-focus-visible/node_modules/postcss/package.json
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2
Step up your Open Source Security Game with WhiteSource here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-06-05
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with WhiteSource here
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with WhiteSource here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution: xmlhttprequest-ssl - 1.6.1
Step up your Open Source Security Game with WhiteSource here
Is your enhancement related to a problem? Please describe.
In a recent progress review on a Sophi integration, @barryceelen noted:
use page slug, for data sent to sophi
We should investigate when sending widget/block data to Sophi if it would be easier to send the page slug and where feasible make that update.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
This issue is for tracking changes for the 1.0.4 release. Target release date: 15 July 2021.
develop
, cut a release branch named release/1.0.4
for your changes.sophi.php
, package.json
, and readme.txt
if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION
constant in sophi.php
.CHANGELOG.md
and readme.txt
.CREDITS.md
with any new contributors, confirm maintainers are accurate.README.md
is geared toward GitHub and readme.txt
contains WordPress.org-specific content. The two are slightly different..distignore
.develop
(or merge the Pull Request), then do the same for develop
into trunk
(git checkout trunk && git merge --no-ff develop
). trunk
contains the stable development version.trunk
branch, test for functionality locally.trunk
branch to GitHub (e.g. git push origin trunk
).trunk
branch. Paste the changelog from CHANGELOG.md
into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.Due date (optional)
field) and link to GitHub release (in the Description field
), then close the milestone.1.0.4
do not make it into the release, update their milestone to 1.1.0
or Future Release
.develop
branch (cd ../ && git checkout develop
) bump the version number in sophi.php
to 1.0.5-dev
. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since
annotations.Is your enhancement related to a problem? Please describe.
Add our base unit testing and linting actions so that we can use those for checks on PRs.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
Is your enhancement related to a problem? Please describe.
WordPress 5.8 will introduce the Query block, the plugin should consider if/how it should integrate with that block as a likely case to allow for setting Sophi as a datasource.
Describe the solution you'd like
Designs
TBD
Describe alternatives you've considered
Additional context
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-4.3.1.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/imagemin-svgo/node_modules/is-svg/package.json,sophi-for-wordpress/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
There are some changes and additions needed for the tracking data that gets collected, to help with site automation results.
type
: Should be a string with one of the following values: article
, video
, audio
, or image
. Most content will be article
. Propose we use the post format feature to determine this, as it directly supports all of these types. In addition, suggest we add a new filter around this to make it easy for sites to customize this (we'll want validation on this to ensure the value this filter returns is only one of those types)url
: Should be a string that contains the main URL of the content. This is replacing the existing canonicalURL
fieldisCanonical
: Should be a boolean value. true
if this item is the canonical resource. Default for most items will be true
promoImageUri
: Should be a string that points to the URL of the featured image (should ensure we use the full size image)canonicalURL
: This field is being removed and replaced by url
and isCanonical
sectionNames
: This is an existing field but it needs to be changed to an array of strings. If a piece of content has multiple sections (like /news/local/SLUG), this field should be ['news', 'local']
. If it only has a single section (like /news/), this field should be ['news']
. The first section in the URL should always show first in this arrayplainText
: This field already exists but we need new logic here to check if a piece of content has any text at all and if not, this field should be omitted. This applies mostly to non-article content that may not contain any textdatePublished
: Field needs to be renamed to publishedAt
dateModified
: Field needs to be renamed to modifiedAt
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/imagemin/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/imagemin/node_modules/glob-parent/package.json,sophi-for-wordpress/node_modules/webpack-dev-server/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
It looks like there are a handful of TODO
statements still in the code. Ideally these would be addressed or if they are no longer relevant, those statements would be removed.
I'm seeing two of these in /includes/classes/Curator/Request.php
and one in /includes/blocks/curator-block/edit.js
Is your enhancement related to a problem? Please describe.
This plugin was initially developed targeting WordPress VIP, but now that we're broadening the audience to WordPress.org we'll need to update our WP-CLI command to work on non-VIP environments.
Describe the solution you'd like
Designs
n/a
Describe alternatives you've considered
n/a
Additional context
n/a
In order to better capture widget groupings, we need to add a new data attribute to the main container that is used for the site automation widgets.
This attribute takes the form data-sophi-feature="Widget Name"
As an example:
<div class="wp-block-trending" data-sophi-feature="trending">
<h3>Trending</h3>
<ul>...</ul>
</div>
We currently have a widget name field on the Site Automation block, so I propose that name is what is used for this data attribute. From the examples we've been given, it looks like this name should be lowercase and spaces should be replaced with dashes, so might need to pass the widget name through sanitization to achieve this.
For direct integrations with WP_Query
, this data attribute will need to be added on a site-by-site basis. We probably need to update documentation to mention this.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
composer.json
php >=7.4
snowplow/snowplow-tracker 0.6.1
phpunit/phpunit 9.5.27
automattic/vipwpcs 2.3.3
dealerdirect/phpcodesniffer-composer-installer 0.7.2
.github/workflows/build-docs.yml
actions/checkout v3.5.3
actions/setup-node v3
peaceiris/actions-gh-pages v3
.github/workflows/dotorg-asset-readme-update.yml
.github/workflows/dotorg-push-deploy.yml
actions/checkout v3
actions/setup-node v3
actions/upload-release-asset v1
.github/workflows/lint.yml
actions/checkout v3
shivammathur/setup-php v2
.github/workflows/php-compatibility-dev.yml
actions/checkout v3
shivammathur/setup-php v2
.github/workflows/php-compatibility.yml
actions/checkout v3
shivammathur/setup-php v2
.github/workflows/test.yml
actions/checkout v3
shivammathur/setup-php v2
package.json
@10up/block-components ^1.13.0
@wordpress/icons 9.14.0
10up-toolkit 4.3.1
jsdoc 3.6.11
prop-types 15.8.1
wp-hookdoc 0.2.0
node >=12.0.0
Minor suggestion but thinking we may want to move the get_supported_post_types
function from the core.php
file to the utils.php
file. This seems more like a utility function, though moving would require updating the namespace anywhere this function is used.
Is your enhancement related to a problem? Please describe.
VIP just released version 2.3.0 of their Coding Standards, we should ensure the plugin updates to use these new standards.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: 23a26be24eec064a68e5fa5b526726372d41a3fd
Found in base branch: develop
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
Describe the bug
The following is unconfirmed in a dev or local environment, but worth sharing in case there is something off with the CLI command that runs in VIP.
Steps to Reproduce
I’m running the CLI command for sophi on the VIP production site and two observations:
- the plugin ran in dry mode without me asking it to
- I set a limit of 1000 and per page of 10, I’d expect “Preparing for the next batch...” a hundred times (a progress bar would be nicer) but it’s been about 300 of those by now
Expected behavior
Screenshots
Environment information
Additional context
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48
Dependency Hierarchy:
Found in HEAD commit: 23a26be24eec064a68e5fa5b526726372d41a3fd
Found in base branch: develop
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-object-fit-images/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.
This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.
* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution: v4.2.2
Step up your Open Source Security Game with WhiteSource here
Is your enhancement related to a problem? Please describe.
Once WordPress 5.8 is released, we'll want to test Sophi to see if any incompatibility issues arise.
Describe the solution you'd like
Designs
n/a
Describe alternatives you've considered
none
Additional context
n/a
This issue is for tracking changes for the 1.0.3 release. Target release date: 15 June 2021.
develop
, cut a release branch named release/1.0.3
for your changes.sophi.php
, package.json
, and readme.txt
if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION
constant in sophi.php
.CHANGELOG.md
and readme.txt
.CREDITS.md
with any new contributors, confirm maintainers are accurate.README.md
is geared toward GitHub and readme.txt
contains WordPress.org-specific content. The two are slightly different..distignore
.develop
(or merge the Pull Request), then do the same for develop
into trunk
(git checkout trunk && git merge --no-ff develop
). trunk
contains the stable development version.trunk
branch, test for functionality locally.trunk
branch to GitHub (e.g. git push origin trunk
).trunk
branch. Paste the changelog from CHANGELOG.md
into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.Due date (optional)
field) and link to GitHub release (in the Description field
), then close the milestone.1.0.3
do not make it into the release, update their milestone to 1.1.0
or Future Release
.develop
branch (cd ../ && git checkout develop
) bump the version number in sophi.php
to 1.0.4-dev
. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since
annotations.Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/trim/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
Base Score Metrics:
Type: Upgrade version
Origin: component/trim#8
Release Date: 2020-10-27
Fix Resolution: trim - 0.0.3
Step up your Open Source Security Game with WhiteSource here
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cacheable-request/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
Is your enhancement related to a problem? Please describe.
Add our hook doc action and ensure we're using JSDoc-formatted docblocks for our hooks so that we can generate this developer-friendly docs site from the plugin.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy:
Found in base branch: develop
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1
Step up your Open Source Security Game with WhiteSource here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
This issue is for tracking changes for the 1.0.0 release. Target release date: 14 April 2021.
develop
, cut a release branch named release/1.0.0
for your changes.sophi-for-wordpress.php
, package.json
, and readme.txt
if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION
constant in sophi-for-wordpress.php
.CHANGELOG.md
and readme.txt
.CREDITS.md
with any new contributors, confirm maintainers are accurate.README.md
is geared toward GitHub and readme.txt
contains WordPress.org-specific content. The two are slightly different..github/action-release/rsync-filter.txt
.develop
(or merge the Pull Request), then do the same for develop
into trunk
(git checkout trunk && git merge --no-ff develop
). trunk
contains the stable development version.trunk
branch, test for functionality locally.trunk
branch to GitHub (e.g. git push origin trunk
).stable
branch and test for functionality locally.stable
branch. Paste the changelog from CHANGELOG.md
into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.Due date (optional)
field) and link to GitHub release (in the Description field
), then close the milestone.1.0.0
do not make it into the release, update their milestone to 1.1.0
or Future Release
.develop
branch (cd ../ && git checkout develop
) bump the version number in sophi-for-wordpress.php
to 1.0.1-dev
. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since
annotations.The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution: engine.io - 4.0.0
Step up your Open Source Security Game with WhiteSource here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: develop
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/axios/axios/releases/tag/v0.21.2
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
Step up your Open Source Security Game with WhiteSource here
Is your enhancement related to a problem? Please describe.
In a recent check-in meeting with the Sophi team and one of their integration projects, it was identified that a schema update is likely warranted. I'm opening this ticket to capture that work, though we will need to get confirmation from the Sophi team on what schema (e.g. the json-schema?) needs to be updated and to what value before proceeding.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
This issue is for tracking changes for the 1.0.2 release. Target release date: 26 April 2021.
develop
, cut a release branch named release/1.0.2
for your changes.sophi.php
, package.json
, and readme.txt
if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION
constant in sophi.php
.CHANGELOG.md
and readme.txt
.CREDITS.md
with any new contributors, confirm maintainers are accurate.README.md
is geared toward GitHub and readme.txt
contains WordPress.org-specific content. The two are slightly different..github/action-release/rsync-filter.txt
.develop
(or merge the Pull Request), then do the same for develop
into trunk
(git checkout trunk && git merge --no-ff develop
). trunk
contains the stable development version.trunk
branch, test for functionality locally.trunk
branch to GitHub (e.g. git push origin trunk
).stable
branch and test for functionality locally.stable
branch. Paste the changelog from CHANGELOG.md
into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.Due date (optional)
field) and link to GitHub release (in the Description field
), then close the milestone.1.0.2
do not make it into the release, update their milestone to 1.1.0
or Future Release
.develop
branch (cd ../ && git checkout develop
) bump the version number in sophi.php
to 1.0.3-dev
. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since
annotations.Currently we have a composer script that will run phpcs
(for instance, if you run composer run lint
, it will run the command phpcs
. We are loading the proper WP VIP coding standards so this command does most of what we want.
But we can be a little more specific in that command, which will also ensure we are scanning JS files. I'd suggest we update that to be something more robust like:
phpcs --standard=WordPress-VIP-Go -sp --basepath=. --ignore=*/vendor/*,*/node_modules/*,*/tests/*,*/phpunit.xml* .
Might also make sense to make this same update in our lint workflow.
This issue is for tracking changes for the 1.0.1 release. Target release date: 23 April 2021.
develop
, cut a release branch named release/1.0.1
for your changes.sophi.php
, package.json
, and readme.txt
if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION
constant in sophi.php
.CHANGELOG.md
and readme.txt
.CREDITS.md
with any new contributors, confirm maintainers are accurate.README.md
is geared toward GitHub and readme.txt
contains WordPress.org-specific content. The two are slightly different..github/action-release/rsync-filter.txt
.develop
(or merge the Pull Request), then do the same for develop
into trunk
(git checkout trunk && git merge --no-ff develop
). trunk
contains the stable development version.trunk
branch, test for functionality locally.trunk
branch to GitHub (e.g. git push origin trunk
).stable
branch and test for functionality locally.stable
branch. Paste the changelog from CHANGELOG.md
into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.Due date (optional)
field) and link to GitHub release (in the Description field
), then close the milestone.1.0.1
do not make it into the release, update their milestone to 1.0.2
, 1.1.0
, or Future Release
.develop
branch (cd ../ && git checkout develop
) bump the version number in sophi.php
to 1.0.2-dev
. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since
annotations.Is your enhancement related to a problem? Please describe.
Some Sophi users may have a headless WordPress setup, so let's make sure we consider that and describe in the docs what they might need to do differently to integrate with Sophi (e.g., ensure they're firing the JS tracking themselves).
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
When activating the plugin, it will try to load https://https//collector.sophi.io/com.snowplowanalytics.snowplow/tp2 even if the plugin has not been configured yet (also note the incorrect address).
Ideally the plugin would do nothing unless properly configured.
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: sophi-for-wordpress/package.json
Path to vulnerable library: sophi-for-wordpress/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Describe the bug
Somewhere within the changes in #109 and #116 (or potentially elsewhere that I have not accounted for) we introduced the ability to send an array to Sophi of post authors. This presumably takes the WP Core default author and appends whatever other plugins may add as additional authors/bylines (e.g., Co-Authors Plus). It seems that somewhere in these various set up configs that we allow either an empty string or a null reference for an author/byline (I forget specifically how Sophi calls this field) to get passed to Sophi which is then causing the entire data set to be tossed out. We should ensure what we send to Sophi for author/byline does not include an invalid empty string or null reference (though we should ensure we get precise confirmation from the Sophi team on what is / is not permissible on their end before making a change here).
Steps to Reproduce
Expected behavior
Screenshots
Environment information
Additional context
Describe the bug
Steps to Reproduce
Expected behavior
The plugin should add the scheme automatically
Along the same lines, the Collector URL setting requires a URL without scheme, this is confusing and could be handled more gracefully.
Is your enhancement related to a problem? Please describe.
Once the repo is transfered from https://github.com/10up to https://github.com/globeandmail we'll need to rename a handful of places from 10up
to globeandmail
, likely https://github.com/10up/sophi-for-wordpress/search?q=10up.
Describe the solution you'd like
10up
to globeandmail
.Designs
n/a
Describe alternatives you've considered
n/a
Additional context
n/a
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41
Found in base branch: develop
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource here
Is your enhancement related to a problem? Please describe.
Adding a Sophi option/setting to "Ignore homepage for content sync to Sophi" and displaying what is set for the site homage at Reading Settings
> Your homepage displays
with an edit
link to direct Sophi users to http://test.local/wp-admin/options-reading.php for updating. We may also want to consider that some sites may not be using that setting and instead have some other control for handling the site homepage and as such provide a way to adjust what is considered the "homepage" for the site and should be ignored.
This is best as I can recall/describe the discussion with a Sophi integration client, but additional input from the Sophi team to ensure this is described correctly is warranted.
Describe the solution you'd like
Designs
Describe alternatives you've considered
Additional context
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.