Hello,
I submitted plugin to Plugins Directory - DebugPress: Debugger in a Popup (ID 5892). Today I got the review email, but that email has nothing to do with my plugin, it shows information for plugin called ‘kts-table-of-contents’ which is not mine.
Can someone check this out, and let me know what is going on?
Regards,
Milan
Hello, Milan! It looks like the reviewer mixed up the IDs and looked at my plugin instead of yours. Thanks for letting us know.
We’ll get your plugin reviewed properly as soon as we can.
Yes, Dev4Press, we are on-boarding a new reviewer who was new at using the directory review system; and added the incorrect ID number for sending the review email to. Your plugin will be reviewed this weekend and we are glad to have you here as a plugin author for ClassicPress.
Thanks!
I have received the email with the review, and I have few issues with it, I would like to discuss:
My plugin is a debugger plugin, so it depends on using a lot of functions that your review flagged. Review flagged various error reporting functions and code, and for Debug plugin that is essential to use.
Plugin has a ‘vendor’ directory where the third-party library (Kint) is placed, and will be updated in the future. I can’t make changes to that library, because it would make it impossible to update it when new version is released by the library author. WordPress.org plugins repository allows for exceptions to libraries placed in the ‘vendor’ directory, and they don’t scan that directory as it will be containing code that is imported.
Regards,
Milan
Milan, Thanks for following up on this. The use of 3rd party packages is always an issue for WP/CP security and most of the time it is OK to use them. In your case you may need to add PHP comment notes at the end of the line which you are getting the reported error; in order to allow for the CPCS code sniffer to ignore the error.
Here is a good example of how this can be done: WooCommerce Code Reference
Where this is truly applicable, you may use the phpcs:ignore comment to allow exceptions to the code sniffer reporting.
As to the 3rd party vendor files. If those are in need of attention and you have no alternative—such as // phpcs:ignore then let us know and we will see if the vendor plans on updating or if there may be another workaround.
I am not aware of a way to add whole folder as PHPCS ignore. WordPress.org ‘Plugin Check’ plugin that uses PHPCS have a global rule to ignore vendor directory, but I am not aware of a way to add ignore in this case directly in the code, and again, changing any vendor files will not work, because that vendor library will be updated in the future. A lot of things PHPCS marked in the vendor directory they will never change, because that library is not made strictly for WordPress, and it can’t use WordPress APIs or functions. I still think you should follow WordPress.org approach and have vendor folders as exceptions inside your PHPCS profile.
As for the rest, I can make changes, and resubmit.
Milan
Please do make the realistic changes that you can and resubmit. We will be glad to determine what to do next. As long as you make some notes about what you attempted to do to remedy the errors. Maybe try to standardize the short ternaries and then sanitize the SERVER defines and sanitize what you can.
Once it makes it through the initial review, there is a good chance that future versions will not be WPCS checked—especially for vendors. But if there is not way to ignore entire folders without difficult intervention and the whole practice of using wrt exceptions is not a great practice either.
Looks like there are 81 lines of code that need attention in the vendor directories. I know that seems like a lot but I would concentrate on the ones that are in your plugin code, first, which looks like around 50 lines. Then I will get back to you about how CP is going to handle vendor sanity and PHPCS.
I have made changes to everything, except vendor directory. I am submitting code review response form, and will include link to this forum topic and note about vendor directory.
Thanks!
Will be waiting until the new week ahead before further review. Thanks for doing this and we will have more info on the vendor files when we get better feedback from our team members, then.
I can confirm that the vendor directory in the root folder of plugins and themes is ignored.
Seems that your code is highly opinionated and this allowed us to spot and remove certain sniffs that relate purely to the aesthetic aspect of the code.
You’ll get soon a new review.
If you want you can look at this repo: GitHub - ClassicPress/dev-workflows: Workflows for plugins and themes developers provided by ClassicPress. and maybe you can add a GitHub cpcs.yml workfolw as described. This is absolutely optional.
Thanks!
Here is the latest review details that you will want to go over. We found the following:
FILE: .../debugpress/core/printer/kint/load.php
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
52 | WARNING | Silencing errors is strongly discouraged. Use proper error checking instead. Found: @Kint::dump( $value
| | )... (WordPress.PHP.NoSilencedErrors.Discouraged)
FILE: .../debugpress/core/main/Info.php
FOUND 6 ERRORS AND 1 WARNING AFFECTING 4 LINES
223 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
266 | ERROR | Use placeholders and $wpdb->prepare(); found debugpress_db (WordPress.DB.PreparedSQL.NotPrepared)
266 | ERROR | Use placeholders and $wpdb->prepare(); found wpdb (WordPress.DB.PreparedSQL.NotPrepared)
266 | ERROR | Use placeholders and $wpdb->prepare(); found base_prefix (WordPress.DB.PreparedSQL.NotPrepared)
266 | ERROR | Unsupported placeholder used in $wpdb->prepare(). Found: "%' GROUP".
| | (WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder)
267 | ERROR | Use placeholders and $wpdb->prepare(); found $sql (WordPress.DB.PreparedSQL.NotPrepared)
At this point you should fix the issue or silence it by adding, as example
// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
at the end of the line. Better if also a comment before the line is added explaining why the error is silenced.
Thanks. I have uploaded new update via the Code Review Response form.
Looks good. Plugin is live now. 
Thanks!
I have a few questions that I can’t find in the documentation:
My plugin contains a WordPress-style ‘readme.txt’ file. However, that file is not properly parsed in the ClassicPress Directory, and markup is visible, not parsed. What is the best way to resolve this? Maybe create a ‘readme.md’ using markdown only?
The guidelines mention Premium plugins. How can such plugins be submitted? The current form requires ZIP from GitHub. How would listing Premium plugins work exactly?
Regards,
Milan