- See previously BP Dev Chat summary April 17 (2024)
- In attendance: @dcavins @im4th @emaralive @espellcaste @vapvarun
- Slack archive
👷♂️ 12.4.1 Retrospective
We started the meeting discussing about Security Releases process. This process is happening very privately and we are making sure to be as quiet as possible about the security fix(es) we include into the code. BuddyPress Committers received a security alert from the WordPress Plugin Team on April 20. It was involving our dynamic Block Widgets (read 12.4.1 changelog for more information about it). Once we fixed it, as requested by the WordPress Plugin Team, we performed a complete Security Check about BuddyPress code using the Plugin Check plugin. This check revealed many escaping improvements were needed. As security is our first priority, we decided to also include all needed escaping improvements into the 12.4.1 security release, even if we knew we were taking the risk of being too conservative about some of these (Security Releases can’t be beta tested). Once the security release was published, some escapes were actually problematic and generated 5 regressions.
During the chat, we took the decisions:
- to take more time to test 12.4.1 to eventually find other regressions postponing our next meetings by a week ;
- to quickly package a maintenance release to get rid of these regressions (12.5.0 has been released on May 14, 2024) ;
- to improve our GitHub action checking WordPress Coding standards so that it now includes Escaping rules (@espellcaste committed the improvements on May 4, 2024).
NB: #9080 (Deployment Process review) would be a really great improvement: building the Security Releases was a pretty long task as we backported the fix to the 11.0, 10.0 & 9.0 branches and the 11.4.1, 10.6.3 & 9.2.3 tags were made available on the Plugin Directory.
🧰 BuddyPress 14.0.0
We then talked about ticket #8728 (allowing group mods/admins to delete corresponding group activities): @im4th has grouped unit tests and patch into this GitHub PR which is also taking in account @needle feedback. We decided to take more time to test the PR before committing it to SVN trunk.
@espellcaste asked the team whether we should also sort values for xProfile options (see #8728): we agreed field option values should respect the sort options for multiselect/checkbox fields.
@espellcaste requested team’s opinion about the fact it’s currently possible to request many activation emails “resend” (see #9137): we agreed we should add some sort of feedback to the user after locking them for a period of time (maybe an hour, will be configurable), a bit like WordPress does it for comments.
Finally we talked about a possible breaking change about including all additional signup fields into the BP REST API corresponding endpoint (see this PR). As it was a bit late and we needed more time to figure it out @im4th made his suggestions a bit later. @espellcaste has since merged the PR and wrote a great developer note about it.
14.0.0 schedule reminder
- June 3: 14.0.0-beta1.
- July 8: 14.0.0.
Next Dev-Chat
It will happen on Wednesday May 22, 2024 at 19:00 UTC in #BuddyPress.