Bad string injection of plugin update message

[justlevine]

Description

The ajax plugin install injects Updated at multiple points of our update message

Steps to reproduce

1. Install WPGraphQL v1.x and a plugin that doesnt explicitly support WPGraphQL 2.x

2. Click the update button to manually update WPGraphQL

3. Wait for the update to complete

Additional context

No response

WPGraphQL Version

2.0.0

WordPress Version

6.7.2

PHP Version

8.2.27

Additional environment details

No response

Please confirm that you have searched existing issues in the repo.

• Yes

Please confirm that you have disabled ALL plugins except for WPGraphQL.

• Yes
• My issue is with compatibility with a specific WordPress plugin, and I have listed all my installed plugins (and version info) above.

[jasonbahl]

@justlevine I ran into this and it seemed to be related to this Slevomat cs rule: ed966b6#diff-05ae9cddcaec1e845771a7db224961439f83ef5939ec67d3a48744cb34d7e58bR68

Once I ignored that rule, the const type hints were no longer being added to the UpdateChecker class and the errors I was experiencing went away.

[jasonbahl]

Hmm. . .that rule doesn't seem to exist in the Github workflow. https://github.com/wp-graphql/wp-graphql/actions/runs/13644419466/job/38140553664?pr=3327#step:5:11

I'm on PHP 8.4 locally. The workflow is PHP 8.2. Perhaps that's the issue?

[jasonbahl]

I tried to update the workflow to use php 8.4, but it;s still not recognizing that ignore: https://github.com/wp-graphql/wp-graphql/actions/runs/13644528983/job/38140843577?pr=3327#step:5:11

I was able to ignore it locally though 🤔. need to step away, but just noting some findings.

[justlevine]

@jasonbahl I'm happy to take a look locally and update you

(Is this related to this UX issue though?)

[jasonbahl]

@justlevine ah, apologies. I was trying to reproduce and was running into an error which was caused by phpcbf, so in my mind they were related, especially since the issue was on the UpdateChecker.php file, but ya, I don't think it's actually related.

I was able to update the composer dependencies and now the ignore rule I added to .phpcs.xml.dist is being respected. And now I can get back to reproducing this 😆

[jasonbahl]

@justlevine this is tricky to test 🤔

How do you go about properly simulating an update while not actually updating it? how do we show the update success message but not actually run the update?

[justlevine]

To replicate download an old plugin version (from releases or with the --version wpci flag.

To test (this is what i did last time, might be an easier way 🤷)

1. Use a separate WP install (so your .env one will still be used for unit tests)
2. (Temporarily - dont commit) lower the plugin version number (so you'll see a real update notice + workflow to the current 2.x.y)
3. Copy (dont symlink) the folder to wp-content/plugins
4. After a change, delete and recopy wp-content/plugins/wp-graphql

Basically, I had an rm -rf /path/to/wp-content/plugins/wp-graphql && cp path/to/repo/wp-graphql /path/to/wp-content/plugins in my terminal that I kept rerunning after every change I wanted to test.