Skip to content

Release 4.2.2#1920

Merged
bartoszgadomski merged 7 commits into
masterfrom
release/v4.2.2
Jul 6, 2026
Merged

Release 4.2.2#1920
bartoszgadomski merged 7 commits into
masterfrom
release/v4.2.2

Conversation

@bartoszgadomski

@bartoszgadomski bartoszgadomski commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

Release 4.2.2. This is a security-hardening patch release.

Included changes

  • Security hardening — enforce the Stream view capability and always target the current user in the stream_enable_live_update AJAX handler so a user can only change their own live update preference (#1918).
  • Version bump to 4.2.2 in stream.php, readme.txt (Stable tag), and classes/class-plugin.php (VERSION).
  • Changelog entry for 4.2.2.
  • CI: refresh apt metadata before the Playwright install step so the E2E job installs browser dependencies reliably.

Release process

  • Version bumped and changelog updated on release/v4.2.2.
  • v4.2.2-rc.1 pre-release published for WP.org dry-run + ZIP smoke test.
  • RC verified.
  • Final v4.2.2 release published (deploys to WP.org).
  • Merge this PR into master, then merge master into develop.

Notes

Made with Cursor

bartoszgadomski and others added 7 commits July 6, 2026 10:30
Enforce the view capability and always target the current user in the
stream_enable_live_update AJAX handler so a user can only change their
own live update preference. Drop the client-supplied user field from the
markup and AJAX payload, and add PHPUnit coverage for the authorization
behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>
The ondrej/php PPA added by setup-php changed its repository Label, which
caused the apt-get update run by `playwright install --with-deps` to abort
with exit code 100. Refresh apt metadata with --allow-releaseinfo-change
first so browser dependency installation succeeds.

Co-authored-by: Cursor <cursoragent@cursor.com>
Pin the JSON success flag in both the denial and current-user tests so a
future refactor cannot silently return success without writing the
expected user meta.

Co-authored-by: Cursor <cursoragent@cursor.com>
Harden live update preference authorization
Reconcile develop with the 4.2.1 release that shipped from master:
version bump and Plugin Check hardening (ABSPATH guards, output
escaping, and related fixes) that were never merged back. Preserves
develop's newer work, including the live update authorization fix.

Co-authored-by: Cursor <cursoragent@cursor.com>
Bump version to 4.2.2 and document the live update authorization
hardening in the changelog.

Co-authored-by: Cursor <cursoragent@cursor.com>
@bartoszgadomski bartoszgadomski merged commit 66bbc6a into master Jul 6, 2026
21 checks passed
@bartoszgadomski bartoszgadomski deleted the release/v4.2.2 branch July 6, 2026 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant