Merge branch 'develop' into fix-827

.github/workflows/acceptance-tests.yml

@@ -34,6 +34,9 @@ on:
  - 'package.json'
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  test:
  name: WP ${{ matrix.wp }} / PHP ${{ matrix.php }}
@@ -43,18 +46,18 @@ jobs:
  matrix:
  wp:
  # Latest three stable:
+ - '6.5'
  - '6.4'
  - '6.3'
- - '6.2'
  php:
  - '8.2'
  - '7.4'
  include:
  # Latest stable on PHP 8.3:
- - wp: '6.4'
+ - wp: '6.5'
  php: '8.3'
  # Oldest supported on PHP 7.4:
- - wp: '5.6'
+ - wp: '5.7'
  php: '7.4'
  fail-fast: false
  uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-acceptance-tests.yml@trunk

.github/workflows/build.yml

@@ -5,22 +5,14 @@ on:
  push:
  branches:
  - 'release'
+ workflow_dispatch:
+
+permissions:
+ contents: write
 
 jobs:
  build:
  name: Build
  uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-build.yml@trunk
- master:
- name: Push to master
- needs: build
- runs-on: ubuntu-latest
- steps:
- - name: Checkout repository
- uses: actions/checkout@v3
- with:
- ref: develop
-
- - name: Push
- run: git push origin develop:master
- env:
- TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ tag: ${{ github.event_name != 'workflow_dispatch' }}

.github/workflows/coding-standards.yml

@@ -34,6 +34,9 @@ on:
  - 'phpstan.neon.dist'
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  test:
  name: PHP / PHP ${{ matrix.php }}

.github/workflows/deploy-assets.yml

@@ -6,6 +6,9 @@ on:
  branches:
  - deploy
 
+permissions:
+ contents: read
+
 jobs:
  wordpress:
  name: WordPress.org

.github/workflows/deploy-tag.yml

@@ -4,16 +4,28 @@ name: Deploy Tag
 on:
  release:
  types: [published]
+ workflow_dispatch:
+ inputs:
+ version:
+ required: true
+ type: string
+ description: The version number of the release
 
 concurrency: WordPress.org
 
+permissions:
+ contents: read
+ issues: write
+
 jobs:
  test:
  name: Deploy Tag
  uses: johnbillion/plugin-infrastructure/.github/workflows/reusable-deploy-tag.yml@trunk
  with:
  plugin: query-monitor
  readme: readme.txt
+ version: ${{ github.event_name != 'workflow_dispatch' && github.event.release.tag_name || github.event.inputs.version }}
+ deploy: ${{ github.event_name != 'workflow_dispatch' }}
  secrets:
  WPORG_SVN_USERNAME: ${{ secrets.WPORG_SVN_USERNAME }}
  WPORG_SVN_PASSWORD: ${{ secrets.WPORG_SVN_PASSWORD }}

.github/workflows/integration-tests.yml

@@ -34,6 +34,9 @@ on:
  - 'package.json'
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  test:
  name: WP ${{ matrix.wp }} / PHP ${{ matrix.php }}
@@ -44,18 +47,18 @@ jobs:
  matrix:
  wp:
  # Latest three stable:
+ - '6.5'
  - '6.4'
  - '6.3'
- - '6.2'
  php:
  - '8.2'
  - '7.4'
  include:
  # Latest stable on PHP 8.3:
- - wp: '6.4'
+ - wp: '6.5'
  php: '8.3'
  # Oldest supported on PHP 7.4:
- - wp: '5.6'
+ - wp: '5.7'
  php: '7.4'
  fail-fast: false
  with:

.github/workflows/nightly-tests.yml

@@ -3,7 +3,7 @@
 name: Nightly Tests
 on:
  schedule:
- # Once weekly on Thursdays at 05:00 UTC.
+ # Once daily at 05:00 UTC.
  #
  # ┌───────────── minute (0 - 59)
  # │ ┌────────── hour (0 - 23)
@@ -13,14 +13,17 @@ on:
  # │ │ │ │ │
  # │ │ │ │ │
  # │ │ │ │ │
- - cron: '0 5 * * 4'
+ - cron: '0 5 * * *'
  push:
  branches:
  - 'develop'
  paths:
  - '.github/workflows/nightly-tests.yml'
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  acceptance:
  name: Nightly acceptance / PHP ${{ matrix.php }}

CONTRIBUTING.md

@@ -10,7 +10,9 @@ If you enjoy using Query Monitor I would greatly appreciate it <a href="https://
 
 ## Reporting Security Issues
 
-If you discover a security issue in Query Monitor, please report it to [the security program on HackerOne](https://hackerone.com/johnblackbourn). Do not report security issues on GitHub or the WordPress.org support forums. Thank you.
+You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team helps validate, triage, and handle any security vulnerabilities. [Report a security vulnerability here](https://patchstack.com/database/vdp/query-monitor).
+
+Do not report security issues on GitHub or the WordPress.org support forums. Thank you.
 
 ## Inclusivity and Code of Conduct
 

README.md

@@ -64,11 +64,12 @@ Filtering queries by component or calling function makes it easy to see which pl
  * Shows all enqueued scripts and styles along with their handle, URL, and version
  * Shows their dependencies and dependents
  * Alerts you to any broken or missing dependencies
+ * Supports the script modules feature added in WordPress 6.5
 
 ### Languages
 
  * Shows you language settings and loaded text domains
- * Shows you the requested MO and JSON translation files for each text domain and which ones were loaded
+ * Shows you the requested MO, JSON, and PHP translation files for each text domain and which ones were loaded
 
 ### HTTP API Requests
 
@@ -230,12 +231,12 @@ On pages that have an especially high number of database queries (in the hundred
 
 ### Can I prevent Query Monitor from collecting data during long-running requests?
 
-Yes, if anything calls `do_action( 'qm/cease' )` then Query Monitor will cease operating for the remainder of the page generation. It detaches itself from further data collection, discards any data it's collected so far, and skips the output of its information.
+Yes, you can call `do_action( 'qm/cease' )` to instruct Query Monitor to cease operating for the remainder of the page generation. It will detach itself from further data collection, discard any data it's collected so far, and skip the output of its information.
 
 This is useful for long-running operations that perform a very high number of database queries, consume a lot of memory, or otherwise are of no concern to Query Monitor, for example:
 
 * Backing up or restoring your site
-* Exporting a large amount of data
+* Importing or exporting a large amount of data
 * Running security scans
 
 ### Are there any add-on plugins for Query Monitor?
@@ -252,17 +253,21 @@ Please use [the issue tracker on Query Monitor's GitHub repo](https://github.com
 
 Yes, the [Altis Developer Tools](https://www.altis-dxp.com/resources/developer-docs/dev-tools/) are built on top of Query Monitor.
 
-### Is Query Monitor available on WordPress.com VIP?
+### Is Query Monitor available on WordPress VIP?
 
-Yes, but a user needs to be granted the `view_query_monitor` capability to see Query Monitor even if they're an administrator. [See the WordPress.com VIP documentation for more details](https://docs.wpvip.com/how-tos/enable-query-monitor/).
+Yes, but a user needs to be granted the `view_query_monitor` capability to see Query Monitor even if they're an administrator. [See the WordPress VIP documentation for more details](https://docs.wpvip.com/how-tos/enable-query-monitor/).
 
 ### I'm using multiple instances of `wpdb`. How do I get my additional instances to show up in Query Monitor?
 
 This feature was removed in version 3.12 as it was rarely used and considerably increased the maintenance burden of Query Monitor itself. Feel free to continue using version 3.11 if you need to make use of this feature.
 
 ### Can I click on stack traces to open the file in my editor?
 
-Yes! You can enable this on the Settings panel.
+Yes. You can enable this on the Settings panel.
+
+### How can I report a security bug?
+
+You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team helps validate, triage, and handle any security vulnerabilities. [Report a security vulnerability here](https://patchstack.com/database/vdp/query-monitor).
 
 ### Do you accept donations?
 
@@ -295,6 +300,7 @@ Debugging is rarely done with just one tool. Along with Query Monitor you should
  * [Debug This](https://wordpress.org/plugins/debug-this/)
  * [Decalog](https://wordpress.org/plugins/decalog/)
  * [Laps](https://github.com/Rarst/laps)
+ * [Log HTTP Requests](https://wordpress.org/plugins/log-http-requests/)
  * [Rewrite Rules Inspector](https://wordpress.org/plugins/rewrite-rules-inspector/)
  * [Time Stack](https://github.com/joehoyle/Time-Stack)
  * [User Switching](https://wordpress.org/plugins/user-switching/)
@@ -321,7 +327,7 @@ See also my list of [WordPress Developer Plugins](https://johnblackbourn.com/wor
  * [Xdebug](https://xdebug.org/)
  * [XHProf](https://tideways.com/profiler/xhprof-for-php7)
  * [Wonolog](https://github.com/inpsyde/Wonolog)
- * [WP-CLI profile command](https://developer.wordpress.org/cli/commands/profile/)
+ * [WP-CLI `profile` command](https://developer.wordpress.org/cli/commands/profile/)
 
 ### Hosted services
 

SECURITY.md

@@ -1,5 +1,7 @@
 # Security Policy
 
-## Reporting a Vulnerability
+### How can I report a security bug?
 
-If you discover a security issue in Query Monitor, please report it to [the security program on HackerOne](https://hackerone.com/johnblackbourn). Do not report security issues on GitHub or the WordPress.org support forums. Thank you.
+You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team helps validate, triage, and handle any security vulnerabilities. [Report a security vulnerability here](https://patchstack.com/database/vdp/query-monitor).
+
+Do not report security issues on GitHub or the WordPress.org support forums. Thank you.

classes/CLI.php

@@ -31,7 +31,7 @@ public function enable() {
  if ( file_exists( $drop_in ) ) {
  $contents = file_get_contents( $drop_in );
 
- if ( false !== $contents && false !== strpos( $contents, 'class QM_DB' ) ) {
+ if ( false !== $contents && false !== strpos( $contents, 'new QM_DB' ) ) {
  WP_CLI::success( "Query Monitor's wp-content/db.php is already in place" );
  exit( 0 );
  } else {