Blacklisted plugins philosophy and why flexible-shipping-ups is listed about slickstack HOT 9 CLOSED

@jessuppi see

1. https://github.com/nunomaduro/phpinsights
2. https://themecheck.info/ - https://wordpress.org/plugins/theme-check/
3. https://coderisk.com/
4. https://wpvulndb.com/
5. https://github.com/WordPress/WordPress-Coding-Standards/tree/develop/WordPress/Sniffs/Security
6. and [email protected] to run various quality code bases

from slickstack.

Wow it looks like PHPStan is so much more than standard PHPStorm inspections even with code sniffer integration.
I will allow myself to grab the @szepeviktor phpstan config and add it to our CI - we are using gitlab CI :)
Thank you @szepeviktor for the extension 👍

from slickstack.

Hmm good question. I'm not sure I have documented the original reason on this plugin, I think perhaps we got it confused with another "UPS WooCommerce Shipping" errors e.g.

PHP Fatal error: Uncaught Error: Call to undefined function WC() in /var/www/html/wp-content/plugins/ups-woocommerce-shipping/includes/class-wf-shipping-ups-admin.php:205

...and after looking at recent reviews, we believed there were other issues as well:

https://wordpress.org/plugins/flexible-shipping-ups/#reviews

For now I will remove this plugin from our blacklist. Thanks for commenting.

from slickstack.

Actually it appears you have a non-dismissable nag notice asking users to enable tracking, which is probably against WordPress.org guidelines (besides the general annoyance).

I recommend and request not hijacking the WP Admin in any way... and 99% of plugins don't need to be tracking their users for general usage statistics.

Will keep it whitelisted for now, but seems multiple of your plugins are doing hijacky-ness...

from slickstack.

Thanks very much for adding the plugin to the whitelist.

As a backend dev I understand perfectly why this notice is a complete abomination, but as far is I know you can dismiss it quite simply by closing it so it should be a one-time dirturbance.
The data that are tracked are used to grasp what functionalities are really used by users (mostly to prioritize our backlog), and what really works for users when we use A/B testing in a plugin. Surprisingly for me that is not the info you can easly get from users as they usually don't know or don't really care till something is broken :)

As for reviews, well... we have dropped the ball and passed a really nasty bug that appears only when certain other plugins are active :/ The lesson has been learned and we've added more integration/functional tests to deal with it but the matter is not that easy to solve. Mostly because WordPress made using composer a real pain in the ass.

I've seen that dashboard-cleanup define some const like DISABLE_NAG_NOTICES. I'm not sure if that is a good idea but we can add a condition to not nag more demanding users who have declared something like that const.

from slickstack.

As a backend dev I understand perfectly why this notice is a complete abomination, but as far is I know you can dismiss it quite simply by closing it so it should be a one-time dirturbance.

When we tested yesterday, we weren't able to dismiss the nag notice.

The data that are tracked are used to grasp what functionalities are really used by users (mostly to prioritize our backlog), and what really works for users when we use A/B testing in a plugin.

But any plugin author could say that, and most sites have 25-50 plugins or more... surely tracking general usage is not something WordPress as a community wants to standardize. Besides the privacy and bloat issues, its adding more security/performance concerns.

Implementing DISABLE_NAG_NOTICES would definitely be appreciated by advanced users, and show the community that you're making good faith efforts.

Eventually we may even feature plugin authors who make these sorts of ethical efforts:

• no tracking or third party resources
• no nag notices or WP Admin hijacking (and/or DISABLE_NAG_NOTICES support)
• transparency in author identity and plugin ownership
• history of solid PHP testing and debugging
• etc

from slickstack.

@dyszczo It takes couple of minutes to take a look at a plugin with szepeviktor/phpstan-wordpress

here is the first try on the config for flexible-shipping-ups plugin

phpstan.neon

# Install phpstan/phpstan-shim and szepeviktor/phpstan-wordpress into a renamed vendor dir
# "config": { "vendor-dir": "analyze" }
# analyze/bin/phpstan analyze

includes:
    - phar://phpstan.phar/conf/bleedingEdge.neon
    - analyze/szepeviktor/phpstan-wordpress/extension.neon
parameters:
    level: 4
    paths:
        - %currentWorkingDirectory%/inc/
        - %currentWorkingDirectory%/classes/
    excludes_analyse:
        - %currentWorkingDirectory%/inc/wpdesk-tracker/views/
        - %currentWorkingDirectory%/classes/views/
    autoload_files:
        - %currentWorkingDirectory%/vendor/autoload.php
        - %currentWorkingDirectory%/wc-stubs.php
    autoload_directories:
        - %currentWorkingDirectory%/inc/
        - %currentWorkingDirectory%/classes/
        - %currentWorkingDirectory%/vendor/wpdesk/wp-basic-requirements/src/
    ignoreErrors:
        # Uses func_get_args()
        - '#^Function add_query_arg invoked with [123] parameters?, 0 required\.$#'

wc-stubs.php is generated by szepeviktor/phpstan-wordpress#4

from slickstack.

@dyszczo It takes couple of minutes to take a look at a plugin with szepeviktor/phpstan-wordpress ... here is the first try on the config for flexible-shipping-ups plugin

Wow, that's some nice looking sorcery. I'm not a PHP wizard myself, to be honest...

If there were easy to understand "red flags" or a grading system, that would be kinda interesting to refer plugin authors to as some general feedback on their code. Having WordPress-specific warnings would probably be too difficult to maintain I guess, but something that can at least generate some type of grading system would be interesting, like A, B, C, etc.

I would guess the majority of WP developers don't use Composer and probably are hacking together all kinds of PHP snippets, so something easy to generate (online tool?) would be amazing.

Anyway cool stuff :)

from slickstack.

You're welcome.

from slickstack.