From c69a0b28fea5fa12a75a5633d9d1bf24edc8444c Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 17:38:59 -0700
Subject: [PATCH 01/11] Add XML Schema to PHPCS rulesets

---
 phpcs.xml.dist                                | 2 +-
 plugins/auto-sizes/phpcs.xml.dist             | 2 +-
 plugins/dominant-color-images/phpcs.xml.dist  | 2 +-
 plugins/embed-optimizer/phpcs.xml.dist        | 2 +-
 plugins/image-prioritizer/phpcs.xml.dist      | 2 +-
 plugins/optimization-detective/phpcs.xml.dist | 2 +-
 plugins/performance-lab/phpcs.xml.dist        | 2 +-
 plugins/speculation-rules/phpcs.xml.dist      | 2 +-
 plugins/view-transitions/phpcs.xml.dist       | 2 +-
 plugins/web-worker-offloading/phpcs.xml.dist  | 2 +-
 plugins/webp-uploads/phpcs.xml.dist           | 2 +-
 tools/phpcs/phpcs.ruleset.xml                 | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/phpcs.xml.dist b/phpcs.xml.dist
index 422dfa2a0d..08d04a500e 100644
--- a/phpcs.xml.dist
+++ b/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP">
+<ruleset name="WPP" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for the Performance Features.</description>
 	<rule ref="tools/phpcs/phpcs.ruleset.xml"/>
 
diff --git a/plugins/auto-sizes/phpcs.xml.dist b/plugins/auto-sizes/phpcs.xml.dist
index 93c5a62c2b..c2bfc2358b 100644
--- a/plugins/auto-sizes/phpcs.xml.dist
+++ b/plugins/auto-sizes/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-AutoSizes">
+<ruleset name="WPP-AutoSizes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Enhanced Responsive Images Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/dominant-color-images/phpcs.xml.dist b/plugins/dominant-color-images/phpcs.xml.dist
index a70fa3a278..541ec74c3b 100644
--- a/plugins/dominant-color-images/phpcs.xml.dist
+++ b/plugins/dominant-color-images/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-DominantColorImages">
+<ruleset name="WPP-DominantColorImages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Image Placeholders Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/embed-optimizer/phpcs.xml.dist b/plugins/embed-optimizer/phpcs.xml.dist
index 636960fe71..179d63c41f 100644
--- a/plugins/embed-optimizer/phpcs.xml.dist
+++ b/plugins/embed-optimizer/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-EmbedOptimizer">
+<ruleset name="WPP-EmbedOptimizer" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Embed Optimizer Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/image-prioritizer/phpcs.xml.dist b/plugins/image-prioritizer/phpcs.xml.dist
index c0feb28874..62faf18535 100644
--- a/plugins/image-prioritizer/phpcs.xml.dist
+++ b/plugins/image-prioritizer/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-ImagePrioritizer">
+<ruleset name="WPP-ImagePrioritizer" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Image Prioritizer Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/optimization-detective/phpcs.xml.dist b/plugins/optimization-detective/phpcs.xml.dist
index b0df9641f9..0ca0cee143 100644
--- a/plugins/optimization-detective/phpcs.xml.dist
+++ b/plugins/optimization-detective/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-OptimizationDetective">
+<ruleset name="WPP-OptimizationDetective" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Optimization Detective Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/performance-lab/phpcs.xml.dist b/plugins/performance-lab/phpcs.xml.dist
index 28ff4be322..f233699ede 100644
--- a/plugins/performance-lab/phpcs.xml.dist
+++ b/plugins/performance-lab/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-PerformanceLab">
+<ruleset name="WPP-PerformanceLab" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for the Performance Lab Plugin</description>
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
 
diff --git a/plugins/speculation-rules/phpcs.xml.dist b/plugins/speculation-rules/phpcs.xml.dist
index 3a1fd1d254..76e68c23d5 100644
--- a/plugins/speculation-rules/phpcs.xml.dist
+++ b/plugins/speculation-rules/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-SpeculationRules">
+<ruleset name="WPP-SpeculationRules" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Speculative Loading Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/view-transitions/phpcs.xml.dist b/plugins/view-transitions/phpcs.xml.dist
index d96e202e5f..ba0d0d9d58 100644
--- a/plugins/view-transitions/phpcs.xml.dist
+++ b/plugins/view-transitions/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-ViewTransitions">
+<ruleset name="WPP-ViewTransitions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for View Transitions Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/web-worker-offloading/phpcs.xml.dist b/plugins/web-worker-offloading/phpcs.xml.dist
index 510da6971b..45ce93b823 100644
--- a/plugins/web-worker-offloading/phpcs.xml.dist
+++ b/plugins/web-worker-offloading/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-Web-Worker-Offloading">
+<ruleset name="WPP-Web-Worker-Offloading" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Web Worker Offloading</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/plugins/webp-uploads/phpcs.xml.dist b/plugins/webp-uploads/phpcs.xml.dist
index 41b87f0838..b35f6c6d8f 100644
--- a/plugins/webp-uploads/phpcs.xml.dist
+++ b/plugins/webp-uploads/phpcs.xml.dist
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-WebPUploads">
+<ruleset name="WPP-WebPUploads" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>WordPress Coding Standards for Modern Image Formats Plugin</description>
 
 	<rule ref="../../tools/phpcs/phpcs.ruleset.xml"/>
diff --git a/tools/phpcs/phpcs.ruleset.xml b/tools/phpcs/phpcs.ruleset.xml
index 094927b585..8aa845966a 100644
--- a/tools/phpcs/phpcs.ruleset.xml
+++ b/tools/phpcs/phpcs.ruleset.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="WPP-Base">
+<ruleset name="WPP-Base" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>Sniffs for WordPress plugins</description>
 
 	<rule ref="PHPCompatibility"/>

From 03e197f4de3cd4b6206437c854541ca140fbe846 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 18:16:39 -0700
Subject: [PATCH 02/11] Add plugin-check as dependency and incorporate ruleset

---
 composer.json                        |  19 ++-
 composer.lock                        | 172 ++++++++++++++++++++++++++-
 tools/phpcs/phpcs.ruleset.xml        |   3 +
 tools/phpcs/plugin-check.ruleset.xml | 152 +++++++++++++++++++++++
 4 files changed, 340 insertions(+), 6 deletions(-)
 create mode 100644 tools/phpcs/plugin-check.ruleset.xml

diff --git a/composer.json b/composer.json
index 8accd8b17a..5fa23060fc 100644
--- a/composer.json
+++ b/composer.json
@@ -20,6 +20,19 @@
     "ext-gd": "Required to use Modern Image Format's Dominant_Color_Image_Editor_GD class",
     "ext-zlib": "Required for compression of URL Metric data submitted to the REST API for storage in Optimization Detective"
   },
+  "repositories": [
+    {
+      "type": "composer",
+      "url": "https://wpackagist.org"
+    }
+  ],
+  "extra": {
+    "installer-paths": {
+      "vendor/{$vendor}/{$name}/": [
+        "wpackagist-plugin/plugin-check"
+      ]
+    }
+  },
   "require-dev": {
     "phpcompatibility/php-compatibility": "^9.3",
     "phpstan/extension-installer": "^1.3",
@@ -33,12 +46,14 @@
     "wp-phpunit/wp-phpunit": "^6.5",
     "yoast/phpunit-polyfills": "^4.0",
     "phpstan/php-8-stubs": "^0.4.0",
-    "phpstan/phpstan-strict-rules": "^1.6"
+    "phpstan/phpstan-strict-rules": "^1.6",
+    "wpackagist-plugin/plugin-check": "^1.5"
   },
   "config": {
     "allow-plugins": {
       "dealerdirect/phpcodesniffer-composer-installer": true,
-      "phpstan/extension-installer": true
+      "phpstan/extension-installer": true,
+      "composer/installers": true
     },
     "platform": {
       "php": "7.2"
diff --git a/composer.lock b/composer.lock
index e3fa53409f..6a44c2475b 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,9 +4,155 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "f73c1471c3cf7dd534a748232fb1f29e",
+    "content-hash": "37a47b0119d47cfa9b5296907f5d14c9",
     "packages": [],
     "packages-dev": [
+        {
+            "name": "composer/installers",
+            "version": "v2.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/composer/installers.git",
+                "reference": "12fb2dfe5e16183de69e784a7b84046c43d97e8e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/composer/installers/zipball/12fb2dfe5e16183de69e784a7b84046c43d97e8e",
+                "reference": "12fb2dfe5e16183de69e784a7b84046c43d97e8e",
+                "shasum": ""
+            },
+            "require": {
+                "composer-plugin-api": "^1.0 || ^2.0",
+                "php": "^7.2 || ^8.0"
+            },
+            "require-dev": {
+                "composer/composer": "^1.10.27 || ^2.7",
+                "composer/semver": "^1.7.2 || ^3.4.0",
+                "phpstan/phpstan": "^1.11",
+                "phpstan/phpstan-phpunit": "^1",
+                "symfony/phpunit-bridge": "^7.1.1",
+                "symfony/process": "^5 || ^6 || ^7"
+            },
+            "type": "composer-plugin",
+            "extra": {
+                "class": "Composer\\Installers\\Plugin",
+                "branch-alias": {
+                    "dev-main": "2.x-dev"
+                },
+                "plugin-modifies-install-path": true
+            },
+            "autoload": {
+                "psr-4": {
+                    "Composer\\Installers\\": "src/Composer/Installers"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Kyle Robinson Young",
+                    "email": "kyle@dontkry.com",
+                    "homepage": "https://github.com/shama"
+                }
+            ],
+            "description": "A multi-framework Composer library installer",
+            "homepage": "https://composer.github.io/installers/",
+            "keywords": [
+                "Dolibarr",
+                "Eliasis",
+                "Hurad",
+                "ImageCMS",
+                "Kanboard",
+                "Lan Management System",
+                "MODX Evo",
+                "MantisBT",
+                "Mautic",
+                "Maya",
+                "OXID",
+                "Plentymarkets",
+                "Porto",
+                "RadPHP",
+                "SMF",
+                "Starbug",
+                "Thelia",
+                "Whmcs",
+                "WolfCMS",
+                "agl",
+                "annotatecms",
+                "attogram",
+                "bitrix",
+                "cakephp",
+                "chef",
+                "cockpit",
+                "codeigniter",
+                "concrete5",
+                "concreteCMS",
+                "croogo",
+                "dokuwiki",
+                "drupal",
+                "eZ Platform",
+                "elgg",
+                "expressionengine",
+                "fuelphp",
+                "grav",
+                "installer",
+                "itop",
+                "known",
+                "kohana",
+                "laravel",
+                "lavalite",
+                "lithium",
+                "magento",
+                "majima",
+                "mako",
+                "matomo",
+                "mediawiki",
+                "miaoxing",
+                "modulework",
+                "modx",
+                "moodle",
+                "osclass",
+                "pantheon",
+                "phpbb",
+                "piwik",
+                "ppi",
+                "processwire",
+                "puppet",
+                "pxcms",
+                "reindex",
+                "roundcube",
+                "shopware",
+                "silverstripe",
+                "sydes",
+                "sylius",
+                "tastyigniter",
+                "wordpress",
+                "yawik",
+                "zend",
+                "zikula"
+            ],
+            "support": {
+                "issues": "https://github.com/composer/installers/issues",
+                "source": "https://github.com/composer/installers/tree/v2.3.0"
+            },
+            "funding": [
+                {
+                    "url": "https://packagist.com",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/composer",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/composer/composer",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2024-06-24T20:46:46+00:00"
+        },
         {
             "name": "dealerdirect/phpcodesniffer-composer-installer",
             "version": "v1.0.0",
@@ -2517,6 +2663,24 @@
             },
             "time": "2025-04-16T01:40:54+00:00"
         },
+        {
+            "name": "wpackagist-plugin/plugin-check",
+            "version": "1.5.0",
+            "source": {
+                "type": "svn",
+                "url": "https://plugins.svn.wordpress.org/plugin-check/",
+                "reference": "tags/1.5.0"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://downloads.wordpress.org/plugin/plugin-check.1.5.0.zip"
+            },
+            "require": {
+                "composer/installers": "^1.0 || ^2.0"
+            },
+            "type": "wordpress-plugin",
+            "homepage": "https://wordpress.org/plugins/plugin-check/"
+        },
         {
             "name": "yoast/phpunit-polyfills",
             "version": "4.0.0",
@@ -2583,16 +2747,16 @@
     ],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {},
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {
         "php": "^7.2 || ^8.0",
         "ext-json": "*"
     },
-    "platform-dev": [],
+    "platform-dev": {},
     "platform-overrides": {
         "php": "7.2"
     },
-    "plugin-api-version": "2.3.0"
+    "plugin-api-version": "2.6.0"
 }
diff --git a/tools/phpcs/phpcs.ruleset.xml b/tools/phpcs/phpcs.ruleset.xml
index 8aa845966a..495c6c0c3b 100644
--- a/tools/phpcs/phpcs.ruleset.xml
+++ b/tools/phpcs/phpcs.ruleset.xml
@@ -2,6 +2,9 @@
 <ruleset name="WPP-Base" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
 	<description>Sniffs for WordPress plugins</description>
 
+	<rule ref="../../vendor/wpackagist-plugin/plugin-check/vendor/plugin-check/phpcs-sniffs/PluginCheck/ruleset.xml" />
+	<rule ref="./plugin-check.ruleset.xml"/>
+
 	<rule ref="PHPCompatibility"/>
 	<config name="testVersion" value="7.2-"/>
 
diff --git a/tools/phpcs/plugin-check.ruleset.xml b/tools/phpcs/plugin-check.ruleset.xml
new file mode 100644
index 0000000000..8050a22edd
--- /dev/null
+++ b/tools/phpcs/plugin-check.ruleset.xml
@@ -0,0 +1,152 @@
+<?xml version="1.0"?>
+<ruleset name="WPPluginCheck" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
+
+	<!-- For more information: https://make.wordpress.org/plugins/handbook/review/ -->
+	<description>Standards any plugin to be published on wordpress.org should comply with.</description>
+
+	<!-- The following rules have been copied from https://github.com/WordPress/plugin-check/blob/95c426228a23a3b290de7758a1708e95fd3c5345/phpcs-rulesets/plugin-review.xml#L33-L174 -->
+
+	<!-- All SQL queries should be prepared as close to the time of querying the database as possible. -->
+	<rule ref="WordPress.DB.PreparedSQL"/>
+	<rule ref="WordPress.DB.PreparedSQL.InterpolatedNotPrepared">
+		<!-- Ideally this wouldn't trigger on "safe" items, but it's triggered on any variable in the SQL. -->
+		<type>warning</type>
+	</rule>
+
+	<!-- Verify that placeholders in prepared queries are used correctly. -->
+	<rule ref="WordPress.DB.PreparedSQLPlaceholders"/>
+
+	<!-- Nonces. These are triggered on any GET/POST access items. -->
+	<rule ref="WordPress.Security.NonceVerification">
+		<!-- This is triggered on all GET/POST access, it can't be an error. -->
+		<type>warning</type>
+	</rule>
+
+	<!-- Sanitized Input rules -->
+	<rule ref="WordPress.Security.ValidatedSanitizedInput">
+		<type>warning</type>
+	</rule>
+
+	<!-- Prohibit the use of the backtick operator. -->
+	<rule ref="Generic.PHP.BacktickOperator">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prohibit the use of HEREDOC or NOWDOC. -->
+	<rule ref="Squiz.PHP.Heredoc">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prohibit the use of the `goto` PHP language construct. -->
+	<rule ref="Generic.PHP.DiscourageGoto.Found">
+		<type>error</type>
+		<severity>7</severity>
+		<message>The "goto" language construct should not be used.</message>
+	</rule>
+
+	<!-- Check for error logs in plugin -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions">
+		<type>warning</type>
+	</rule>
+
+	<!-- No PHP short open tags allowed. -->
+	<rule ref="Generic.PHP.DisallowShortOpenTag"/>
+	<rule ref="Generic.PHP.DisallowShortOpenTag.Found">
+		<severity>7</severity>
+	</rule>
+	<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Alternative PHP open tags not allowed. -->
+	<rule ref="Generic.PHP.DisallowAlternativePHPTags">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prevent path disclosure when using add_theme_page(). -->
+	<rule ref="WordPress.Security.PluginMenuSlug">
+		<severity>6</severity>
+	</rule>
+
+	<!-- While most plugins shouldn't query the database directly, if they do, it should be done correctly. -->
+	<!-- Don't use the PHP database functions and classes, use the WP abstraction layer instead. -->
+	<rule ref="WordPress.DB.RestrictedClasses">
+		<severity>7</severity>
+	</rule>
+
+	<rule ref="WordPress.DB.RestrictedFunctions">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for code WP does better -->
+	<rule ref="WordPress.WP.AlternativeFunctions">
+		<type>error</type>
+		<exclude name="WordPress.WP.AlternativeFunctions.json_encode_json_encode"/>
+		<exclude name="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents"/>
+		<exclude name="WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents"/>
+	</rule>
+
+	<rule ref="Generic.PHP.ForbiddenFunctions">
+		<properties>
+			<property name="forbiddenFunctions" type="array">
+				<element key="move_uploaded_file" value="null"/>
+				<element key="passthru" value="null"/>
+				<element key="proc_open" value="null"/>
+				<element key="create_function" value="null"/>
+				<element key="eval" value="null"/>
+				<element key="str_rot13" value="null"/>
+			</property>
+		</properties>
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
+	<rule ref="Squiz.PHP.DiscouragedFunctions">
+		<properties>
+			<property name="forbiddenFunctions" type="array">
+				<element key="set_time_limit" value="null"/>
+				<element key="ini_set" value="null"/>
+				<element key="ini_alter" value="null"/>
+				<element key="dl" value="null"/>
+			</property>
+		</properties>
+	</rule>
+
+	<!-- Check for use of deprecated WordPress classes, functions and function parameters. -->
+	<rule ref="WordPress.WP.DeprecatedClasses"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedParameters"/>
+	<rule ref="WordPress.DateTime.RestrictedFunctions"/>
+
+	<!-- Check for deprecated WordPress constants. -->
+	<rule ref="WordPress.WP.DiscouragedConstants">
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for discouraged WordPress functions. -->
+	<rule ref="WordPress.WP.DiscouragedFunctions">
+		<severity>6</severity>
+	</rule>
+
+	<!-- Check for usage of deprecated parameter values in WP functions and provide alternative based on the parameter passed. -->
+	<rule ref="WordPress.WP.DeprecatedParameterValues">
+		<severity>7</severity>
+	</rule>
+
+	<!-- No ByteOrderMark allowed - important to prevent issues with content being sent before headers. -->
+	<rule ref="Generic.Files.ByteOrderMark">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Call-time pass-by-reference has been deprecated since PHP 5.3 and should not be used. -->
+	<rule ref="Generic.Functions.CallTimePassByReference">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for missing required function parameters. -->
+	<rule ref="PluginCheck.CodeAnalysis.RequiredFunctionParameters">
+		<severity>7</severity>
+	</rule>
+
+</ruleset>

From dbbdb0ecca23692aa7169894d4a29be526cbb996 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 18:29:48 -0700
Subject: [PATCH 03/11] Fix issues in performance-lab

---
 plugins/performance-lab/includes/admin/load.php               | 4 ++--
 .../includes/site-health/audit-autoloaded-options/hooks.php   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/performance-lab/includes/admin/load.php b/plugins/performance-lab/includes/admin/load.php
index c680c983c1..36675123ce 100644
--- a/plugins/performance-lab/includes/admin/load.php
+++ b/plugins/performance-lab/includes/admin/load.php
@@ -305,7 +305,7 @@ function perflab_install_activate_plugin_callback(): void {
 		wp_die( esc_html__( 'Missing required parameter.', 'performance-lab' ) );
 	}
 
-	$plugin_slug = perflab_sanitize_plugin_slug( wp_unslash( $_GET['slug'] ) );
+	$plugin_slug = perflab_sanitize_plugin_slug( wp_unslash( $_GET['slug'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- perflab_sanitize_plugin_slug() is a sanitizing function.
 	if ( null === $plugin_slug ) {
 		wp_die( esc_html__( 'Invalid plugin.', 'performance-lab' ) );
 	}
@@ -407,7 +407,7 @@ static function ( $name ) {
 
 	$activated_plugin_slug = null;
 	if ( isset( $_GET['activate'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		$activated_plugin_slug = perflab_sanitize_plugin_slug( wp_unslash( $_GET['activate'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$activated_plugin_slug = perflab_sanitize_plugin_slug( wp_unslash( $_GET['activate'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- perflab_sanitize_plugin_slug() is a sanitizing function.
 	}
 
 	if ( null !== $activated_plugin_slug ) {
diff --git a/plugins/performance-lab/includes/site-health/audit-autoloaded-options/hooks.php b/plugins/performance-lab/includes/site-health/audit-autoloaded-options/hooks.php
index d6dc0320cd..d2e9ce3e54 100644
--- a/plugins/performance-lab/includes/site-health/audit-autoloaded-options/hooks.php
+++ b/plugins/performance-lab/includes/site-health/audit-autoloaded-options/hooks.php
@@ -57,7 +57,7 @@ function perflab_aao_handle_update_autoload(): void {
 	}
 
 	$option_name = sanitize_text_field( wp_unslash( $_GET['option_name'] ) );
-	$autoload    = rest_sanitize_boolean( $_GET['autoload'] );
+	$autoload    = rest_sanitize_boolean( wp_unslash( $_GET['autoload'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Won't be needed after <https://github.com/WordPress/WordPress-Coding-Standards/pull/2530>.
 
 	if ( ! current_user_can( 'manage_options' ) ) {
 		wp_die( esc_html__( 'Permission denied.', 'performance-lab' ) );

From 159255bbf962889a7763d566ba1f041862d7f447 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 19:10:23 -0700
Subject: [PATCH 04/11] Exclude irrelevant sniffs from tests

---
 tools/phpcs/phpcs.ruleset.xml | 53 ++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 17 deletions(-)

diff --git a/tools/phpcs/phpcs.ruleset.xml b/tools/phpcs/phpcs.ruleset.xml
index 495c6c0c3b..0941930782 100644
--- a/tools/phpcs/phpcs.ruleset.xml
+++ b/tools/phpcs/phpcs.ruleset.xml
@@ -20,57 +20,57 @@
 
 	<!-- Do not require docblocks for unit tests -->
 	<rule ref="Squiz.Commenting.FunctionComment.Missing">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.FileComment.Missing">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.ClassComment.Missing">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.ClassComment.SpacingAfter">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.FunctionComment.MissingParamTag">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Generic.Commenting.DocComment.Empty">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Generic.Commenting.DocComment.MissingShort">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.VariableComment.Missing">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="Squiz.Commenting.FunctionCommentThrowTag.Missing">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.Security.EscapeOutput.ExceptionNotEscaped">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 
 	<!-- Ignore inapplicable WordPress-Extra sniffs in tests. -->
 	<rule ref="WordPress.WP.EnqueuedResourceParameters">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 		<exclude-pattern>tools/phpunit/*</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.Security.EscapeOutput.OutputNotEscaped">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 		<exclude-pattern>tools/phpunit/*</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.WP.AlternativeFunctions.unlink_unlink">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 		<exclude-pattern>tools/phpunit/*</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.WP.GlobalVariablesOverride.Prohibited">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.PHP.DevelopmentFunctions.error_log_var_export">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 
 	<!-- Exceptions for variable name casing. -->
@@ -87,7 +87,7 @@
 
 	<!-- Do not apply script rules for unit tests -->
 	<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript">
-		<exclude-pattern>tests/*</exclude-pattern>
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
 	</rule>
 
 	<rule ref="SlevomatCodingStandard.Functions.StaticClosure" />
@@ -122,6 +122,25 @@
 		<exclude name="SlevomatCodingStandard.TypeHints.PropertyTypeHint.MissingTraversableTypeHintSpecification" /><!-- TODO: Investigate this -->
 	</rule>
 
+	<rule ref="PluginCheck.CodeAnalysis.Offloading.OffloadedContent">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+	<rule ref="PluginCheck.CodeAnalysis.ImageFunctions.NonEnqueuedImage">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+	<rule ref="Squiz.PHP.DiscouragedFunctions.Discouraged">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotValidated">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+	<rule ref="WordPress.Security.ValidatedSanitizedInput.MissingUnslash">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
+		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+	</rule>
+
 	<!-- Exclude built plugins and built assets in plugins. -->
 	<exclude-pattern>./build/*</exclude-pattern>
 

From c707828f485374305ce55b63295ed2efc676f3f5 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 19:10:52 -0700
Subject: [PATCH 05/11] Add validation and sanitization to string which will be
 hashed anyway

---
 .../storage/class-od-storage-lock.php                     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/plugins/optimization-detective/storage/class-od-storage-lock.php b/plugins/optimization-detective/storage/class-od-storage-lock.php
index 129a74aad8..8b24db3cf8 100644
--- a/plugins/optimization-detective/storage/class-od-storage-lock.php
+++ b/plugins/optimization-detective/storage/class-od-storage-lock.php
@@ -86,7 +86,13 @@ public static function get_ttl(): int {
 	 * @return non-empty-string Transient key.
 	 */
 	public static function get_transient_key(): string {
-		$ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'];
+		if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
+			$ip_address = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
+		} elseif ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
+			$ip_address = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
+		} else {
+			$ip_address = '';
+		}
 		return 'url_metrics_storage_lock_' . wp_hash( $ip_address );
 	}
 

From da2944021f101be1084c1f4ad4d2c7a22482a92e Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 19:35:04 -0700
Subject: [PATCH 06/11] Exclude phpunit bootstrap from security sniffs

---
 tools/phpcs/phpcs.ruleset.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/phpcs/phpcs.ruleset.xml b/tools/phpcs/phpcs.ruleset.xml
index 0941930782..8abda929d9 100644
--- a/tools/phpcs/phpcs.ruleset.xml
+++ b/tools/phpcs/phpcs.ruleset.xml
@@ -133,12 +133,15 @@
 	</rule>
 	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotValidated">
 		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+		<exclude-pattern>./tools/phpunit/bootstrap.php</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.Security.ValidatedSanitizedInput.MissingUnslash">
 		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+		<exclude-pattern>./tools/phpunit/bootstrap.php</exclude-pattern>
 	</rule>
 	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
 		<exclude-pattern>./plugins/*/tests/**</exclude-pattern>
+		<exclude-pattern>./tools/phpunit/bootstrap.php</exclude-pattern>
 	</rule>
 
 	<!-- Exclude built plugins and built assets in plugins. -->

From 5713919ee230a6678e596b4d10cc001b979ec598 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Mon, 9 Jun 2025 20:00:22 -0700
Subject: [PATCH 07/11] Incorporate rest_is_ip_address() for key computation
 and add test assertions

---
 .../storage/class-od-storage-lock.php                      | 2 +-
 .../tests/storage/test-class-od-storage-lock.php           | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/optimization-detective/storage/class-od-storage-lock.php b/plugins/optimization-detective/storage/class-od-storage-lock.php
index 8b24db3cf8..8da76bed67 100644
--- a/plugins/optimization-detective/storage/class-od-storage-lock.php
+++ b/plugins/optimization-detective/storage/class-od-storage-lock.php
@@ -93,7 +93,7 @@ public static function get_transient_key(): string {
 		} else {
 			$ip_address = '';
 		}
-		return 'url_metrics_storage_lock_' . wp_hash( $ip_address );
+		return 'url_metrics_storage_lock_' . wp_hash( (string) rest_is_ip_address( $ip_address ) );
 	}
 
 	/**
diff --git a/plugins/optimization-detective/tests/storage/test-class-od-storage-lock.php b/plugins/optimization-detective/tests/storage/test-class-od-storage-lock.php
index 23db2ef483..09619a964e 100644
--- a/plugins/optimization-detective/tests/storage/test-class-od-storage-lock.php
+++ b/plugins/optimization-detective/tests/storage/test-class-od-storage-lock.php
@@ -170,15 +170,22 @@ public function test_get_ttl( Closure $set_up, int $expected ): void {
 	public function test_get_transient_key(): void {
 		unset( $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR'] );
 
+		$missing_ip_key = OD_Storage_Lock::get_transient_key();
+		$this->assertStringStartsWith( 'url_metrics_storage_lock_', $missing_ip_key );
+
 		$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
 		$first_key              = OD_Storage_Lock::get_transient_key();
 		$this->assertStringStartsWith( 'url_metrics_storage_lock_', $first_key );
+		$this->assertNotEquals( $first_key, $missing_ip_key, 'Expected setting REMOTE_ADDR header to take precedence over empty key.' );
 
 		$_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.2';
 		$second_key                      = OD_Storage_Lock::get_transient_key();
 		$this->assertStringStartsWith( 'url_metrics_storage_lock_', $second_key );
 
 		$this->assertNotEquals( $second_key, $first_key, 'Expected setting HTTP_X_FORWARDED_FOR header to take precedence over REMOTE_ADDR.' );
+
+		$_SERVER['HTTP_X_FORWARDED_FOR'] = '<script>EVIL IP</script>';
+		$this->assertSame( $missing_ip_key, OD_Storage_Lock::get_transient_key() );
 	}
 
 	/**

From 830a30cac55f6cc6632fa682d11ea116a340b6ee Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Tue, 10 Jun 2025 06:54:57 -0700
Subject: [PATCH 08/11] Explain why the PCP ruleset is copied

---
 tools/phpcs/phpcs.ruleset.xml        | 3 +++
 tools/phpcs/plugin-check.ruleset.xml | 1 +
 2 files changed, 4 insertions(+)

diff --git a/tools/phpcs/phpcs.ruleset.xml b/tools/phpcs/phpcs.ruleset.xml
index 8abda929d9..bb5b5fa8d3 100644
--- a/tools/phpcs/phpcs.ruleset.xml
+++ b/tools/phpcs/phpcs.ruleset.xml
@@ -3,6 +3,9 @@
 	<description>Sniffs for WordPress plugins</description>
 
 	<rule ref="../../vendor/wpackagist-plugin/plugin-check/vendor/plugin-check/phpcs-sniffs/PluginCheck/ruleset.xml" />
+
+	<!-- Note: The following rule is not directly referencing '../../vendor/wpackagist-plugin/plugin-check/phpcs-rulesets/plugin-review.xml' -->
+	<!-- This is because it has rules/configs that are not desired, especially setting the testVersion to 5.2-. -->
 	<rule ref="./plugin-check.ruleset.xml"/>
 
 	<rule ref="PHPCompatibility"/>
diff --git a/tools/phpcs/plugin-check.ruleset.xml b/tools/phpcs/plugin-check.ruleset.xml
index 8050a22edd..691e61988d 100644
--- a/tools/phpcs/plugin-check.ruleset.xml
+++ b/tools/phpcs/plugin-check.ruleset.xml
@@ -5,6 +5,7 @@
 	<description>Standards any plugin to be published on wordpress.org should comply with.</description>
 
 	<!-- The following rules have been copied from https://github.com/WordPress/plugin-check/blob/95c426228a23a3b290de7758a1708e95fd3c5345/phpcs-rulesets/plugin-review.xml#L33-L174 -->
+	<!-- The rules are copied here to exclude the undesired rules/configs, especially setting the testVersion to 5.2-. -->
 
 	<!-- All SQL queries should be prepared as close to the time of querying the database as possible. -->
 	<rule ref="WordPress.DB.PreparedSQL"/>

From fd5a0bd5c6b5dc39071083c3c5251f5b222d6561 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Tue, 10 Jun 2025 06:55:13 -0700
Subject: [PATCH 09/11] Improve repositories configuration in composer.json

Co-authored-by: swissspidy <swissspidy@git.wordpress.org>
---
 composer.json | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/composer.json b/composer.json
index 5fa23060fc..f18eb380ab 100644
--- a/composer.json
+++ b/composer.json
@@ -20,10 +20,14 @@
     "ext-gd": "Required to use Modern Image Format's Dominant_Color_Image_Editor_GD class",
     "ext-zlib": "Required for compression of URL Metric data submitted to the REST API for storage in Optimization Detective"
   },
-  "repositories": [
+  "repositories":[
     {
-      "type": "composer",
-      "url": "https://wpackagist.org"
+      "type":"composer",
+      "url":"https://wpackagist.org",
+      "only": [
+        "wpackagist-plugin/*",
+        "wpackagist-theme/*"
+      ]
     }
   ],
   "extra": {

From fbffd15559c6918db5e64a60b0255b5c960e0408 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Tue, 10 Jun 2025 07:08:33 -0700
Subject: [PATCH 10/11] Run composer update and add validation to lint-staged

---
 composer.json         |  3 +-
 composer.lock         | 92 +++++++++++++++++++++++++------------------
 lint-staged.config.js |  1 +
 3 files changed, 57 insertions(+), 39 deletions(-)

diff --git a/composer.json b/composer.json
index f18eb380ab..310dbda76a 100644
--- a/composer.json
+++ b/composer.json
@@ -13,7 +13,8 @@
   },
   "require": {
     "php": "^7.2 || ^8.0",
-    "ext-json": "*"
+    "ext-json": "*",
+    "ext-curl": "*"
   },
   "suggest": {
     "ext-imagick": "Required to use Modern Image Format's Dominant_Color_Image_Editor_Imagick class",
diff --git a/composer.lock b/composer.lock
index 6a44c2475b..1ebe45875c 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "37a47b0119d47cfa9b5296907f5d14c9",
+    "content-hash": "61571e5fb7c0f2eb3ee94b1d30dd7537",
     "packages": [],
     "packages-dev": [
         {
@@ -303,16 +303,16 @@
         },
         {
             "name": "myclabs/deep-copy",
-            "version": "1.13.0",
+            "version": "1.13.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/myclabs/DeepCopy.git",
-                "reference": "024473a478be9df5fdaca2c793f2232fe788e414"
+                "reference": "1720ddd719e16cf0db4eb1c6eca108031636d46c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/024473a478be9df5fdaca2c793f2232fe788e414",
-                "reference": "024473a478be9df5fdaca2c793f2232fe788e414",
+                "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/1720ddd719e16cf0db4eb1c6eca108031636d46c",
+                "reference": "1720ddd719e16cf0db4eb1c6eca108031636d46c",
                 "shasum": ""
             },
             "require": {
@@ -351,7 +351,7 @@
             ],
             "support": {
                 "issues": "https://github.com/myclabs/DeepCopy/issues",
-                "source": "https://github.com/myclabs/DeepCopy/tree/1.13.0"
+                "source": "https://github.com/myclabs/DeepCopy/tree/1.13.1"
             },
             "funding": [
                 {
@@ -359,7 +359,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-02-12T12:17:51+00:00"
+            "time": "2025-04-29T12:36:36+00:00"
         },
         {
             "name": "phar-io/manifest",
@@ -481,25 +481,28 @@
         },
         {
             "name": "php-stubs/wordpress-stubs",
-            "version": "v6.7.2",
+            "version": "v6.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/php-stubs/wordpress-stubs.git",
-                "reference": "c04f96cb232fab12a3cbcccf5a47767f0665c3f4"
+                "reference": "92e444847d94f7c30f88c60004648f507688acd5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/php-stubs/wordpress-stubs/zipball/c04f96cb232fab12a3cbcccf5a47767f0665c3f4",
-                "reference": "c04f96cb232fab12a3cbcccf5a47767f0665c3f4",
+                "url": "https://api.github.com/repos/php-stubs/wordpress-stubs/zipball/92e444847d94f7c30f88c60004648f507688acd5",
+                "reference": "92e444847d94f7c30f88c60004648f507688acd5",
                 "shasum": ""
             },
+            "conflict": {
+                "phpdocumentor/reflection-docblock": "5.6.1"
+            },
             "require-dev": {
                 "dealerdirect/phpcodesniffer-composer-installer": "^1.0",
-                "nikic/php-parser": "^4.13",
+                "nikic/php-parser": "^5.4",
                 "php": "^7.4 || ^8.0",
                 "php-stubs/generator": "^0.8.3",
                 "phpdocumentor/reflection-docblock": "^5.4.1",
-                "phpstan/phpstan": "^1.11",
+                "phpstan/phpstan": "^2.1",
                 "phpunit/phpunit": "^9.5",
                 "szepeviktor/phpcs-psr-12-neutron-hybrid-ruleset": "^1.1.1",
                 "wp-coding-standards/wpcs": "3.1.0 as 2.3.0"
@@ -523,9 +526,9 @@
             ],
             "support": {
                 "issues": "https://github.com/php-stubs/wordpress-stubs/issues",
-                "source": "https://github.com/php-stubs/wordpress-stubs/tree/v6.7.2"
+                "source": "https://github.com/php-stubs/wordpress-stubs/tree/v6.8.1"
             },
-            "time": "2025-02-12T04:51:58+00:00"
+            "time": "2025-05-02T12:33:34+00:00"
         },
         {
             "name": "phpcompatibility/php-compatibility",
@@ -591,26 +594,26 @@
         },
         {
             "name": "phpcsstandards/phpcsextra",
-            "version": "1.2.1",
+            "version": "1.3.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHPCSStandards/PHPCSExtra.git",
-                "reference": "11d387c6642b6e4acaf0bd9bf5203b8cca1ec489"
+                "reference": "8cb1a93708f82778c5fdc46106998c2072565418"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHPCSStandards/PHPCSExtra/zipball/11d387c6642b6e4acaf0bd9bf5203b8cca1ec489",
-                "reference": "11d387c6642b6e4acaf0bd9bf5203b8cca1ec489",
+                "url": "https://api.github.com/repos/PHPCSStandards/PHPCSExtra/zipball/8cb1a93708f82778c5fdc46106998c2072565418",
+                "reference": "8cb1a93708f82778c5fdc46106998c2072565418",
                 "shasum": ""
             },
             "require": {
                 "php": ">=5.4",
-                "phpcsstandards/phpcsutils": "^1.0.9",
-                "squizlabs/php_codesniffer": "^3.8.0"
+                "phpcsstandards/phpcsutils": "^1.0.12",
+                "squizlabs/php_codesniffer": "^3.12.1"
             },
             "require-dev": {
                 "php-parallel-lint/php-console-highlighter": "^1.0",
-                "php-parallel-lint/php-parallel-lint": "^1.3.2",
+                "php-parallel-lint/php-parallel-lint": "^1.4.0",
                 "phpcsstandards/phpcsdevcs": "^1.1.6",
                 "phpcsstandards/phpcsdevtools": "^1.2.1",
                 "phpunit/phpunit": "^4.5 || ^5.0 || ^6.0 || ^7.0 || ^8.0 || ^9.0"
@@ -663,9 +666,13 @@
                 {
                     "url": "https://opencollective.com/php_codesniffer",
                     "type": "open_collective"
+                },
+                {
+                    "url": "https://thanks.dev/u/gh/phpcsstandards",
+                    "type": "thanks_dev"
                 }
             ],
-            "time": "2023-12-08T16:49:07+00:00"
+            "time": "2025-06-08T19:59:14+00:00"
         },
         {
             "name": "phpcsstandards/phpcsutils",
@@ -884,16 +891,16 @@
         },
         {
             "name": "phpstan/phpstan",
-            "version": "1.12.21",
+            "version": "1.12.27",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpstan.git",
-                "reference": "14276fdef70575106a3392a4ed553c06a984df28"
+                "reference": "3a6e423c076ab39dfedc307e2ac627ef579db162"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/14276fdef70575106a3392a4ed553c06a984df28",
-                "reference": "14276fdef70575106a3392a4ed553c06a984df28",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/3a6e423c076ab39dfedc307e2ac627ef579db162",
+                "reference": "3a6e423c076ab39dfedc307e2ac627ef579db162",
                 "shasum": ""
             },
             "require": {
@@ -938,7 +945,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-03-09T09:24:50+00:00"
+            "time": "2025-05-21T20:51:45+00:00"
         },
         {
             "name": "phpstan/phpstan-deprecation-rules",
@@ -1387,16 +1394,16 @@
         },
         {
             "name": "phpunit/phpunit",
-            "version": "8.5.41",
+            "version": "8.5.42",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/phpunit.git",
-                "reference": "d843cb5bcf0bf9ae3484016444fe0c5b6ec7e4fa"
+                "reference": "3a68a70824da546d26ac08ca4fced67341f4158f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/d843cb5bcf0bf9ae3484016444fe0c5b6ec7e4fa",
-                "reference": "d843cb5bcf0bf9ae3484016444fe0c5b6ec7e4fa",
+                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/3a68a70824da546d26ac08ca4fced67341f4158f",
+                "reference": "3a68a70824da546d26ac08ca4fced67341f4158f",
                 "shasum": ""
             },
             "require": {
@@ -1407,7 +1414,7 @@
                 "ext-mbstring": "*",
                 "ext-xml": "*",
                 "ext-xmlwriter": "*",
-                "myclabs/deep-copy": "^1.12.1",
+                "myclabs/deep-copy": "^1.13.1",
                 "phar-io/manifest": "^2.0.4",
                 "phar-io/version": "^3.2.1",
                 "php": ">=7.2",
@@ -1465,7 +1472,7 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/phpunit/issues",
                 "security": "https://github.com/sebastianbergmann/phpunit/security/policy",
-                "source": "https://github.com/sebastianbergmann/phpunit/tree/8.5.41"
+                "source": "https://github.com/sebastianbergmann/phpunit/tree/8.5.42"
             },
             "funding": [
                 {
@@ -1476,12 +1483,20 @@
                     "url": "https://github.com/sebastianbergmann",
                     "type": "github"
                 },
+                {
+                    "url": "https://liberapay.com/sebastianbergmann",
+                    "type": "liberapay"
+                },
+                {
+                    "url": "https://thanks.dev/u/gh/sebastianbergmann",
+                    "type": "thanks_dev"
+                },
                 {
                     "url": "https://tidelift.com/funding/github/packagist/phpunit/phpunit",
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-05T13:44:26+00:00"
+            "time": "2025-05-02T06:33:00+00:00"
         },
         {
             "name": "sebastian/code-unit-reverse-lookup",
@@ -2362,7 +2377,7 @@
         },
         {
             "name": "symfony/polyfill-php73",
-            "version": "v1.31.0",
+            "version": "v1.32.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php73.git",
@@ -2418,7 +2433,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php73/tree/v1.31.0"
+                "source": "https://github.com/symfony/polyfill-php73/tree/v1.32.0"
             },
             "funding": [
                 {
@@ -2752,7 +2767,8 @@
     "prefer-lowest": false,
     "platform": {
         "php": "^7.2 || ^8.0",
-        "ext-json": "*"
+        "ext-json": "*",
+        "ext-curl": "*"
     },
     "platform-dev": {},
     "platform-overrides": {
diff --git a/lint-staged.config.js b/lint-staged.config.js
index 04596cbc3b..63c94fdaa4 100644
--- a/lint-staged.config.js
+++ b/lint-staged.config.js
@@ -18,6 +18,7 @@ const config = {
 	'/tools/**.php': 'composer lint',
 	// Note: Instead of the preceding two lines, the following line was tried but it is not working:
 	// [ `!(plugins/{${ plugins.join( '|' ) }})/**/*.php` ]: 'composer lint',
+	'composer.{json,lock}': () => 'composer validate --strict',
 };
 
 for ( const plugin of plugins ) {

From 4c06a40640607c84d9bfe1213637dfbd6b8a3c28 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Wed, 11 Jun 2025 07:02:43 -0700
Subject: [PATCH 11/11] Remove erroneous ext-curl from fbffd15

---
 composer.json | 3 +--
 composer.lock | 5 ++---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/composer.json b/composer.json
index 310dbda76a..f18eb380ab 100644
--- a/composer.json
+++ b/composer.json
@@ -13,8 +13,7 @@
   },
   "require": {
     "php": "^7.2 || ^8.0",
-    "ext-json": "*",
-    "ext-curl": "*"
+    "ext-json": "*"
   },
   "suggest": {
     "ext-imagick": "Required to use Modern Image Format's Dominant_Color_Image_Editor_Imagick class",
diff --git a/composer.lock b/composer.lock
index 1ebe45875c..bbea1e1511 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "61571e5fb7c0f2eb3ee94b1d30dd7537",
+    "content-hash": "914fa3da8a7fde9e9736b7c28f994227",
     "packages": [],
     "packages-dev": [
         {
@@ -2767,8 +2767,7 @@
     "prefer-lowest": false,
     "platform": {
         "php": "^7.2 || ^8.0",
-        "ext-json": "*",
-        "ext-curl": "*"
+        "ext-json": "*"
     },
     "platform-dev": {},
     "platform-overrides": {