919 WC file changes after update to 9.3.1

Hi @magicpowers,

Thank you for reaching out.

When you update the WooCommerce plugin, it’s normal for a significant number of files to be modified, even in a minor update. This is because updates often involve changes to a large number of files to ensure compatibility, fix bugs, and introduce new features.

The alert from WordFence is not necessarily a cause for concern. WordFence is simply notifying you that files have been modified, which is expected behavior when a plugin is updated.

The specific “tweak” you mentioned may only be a small part of the update, but the update as a whole can still involve modifications to a large number of files.

If you’re not experiencing any issues on your site after the update, there’s no need to worry about the modified files. If you do encounter any problems, please don’t hesitate to reach out to us for assistance.

I hope this clears up any confusion.

Hi @ckadenge

Thanks for your reply.

While I understand that a plugin update usually involves file modifications, but I have a problem with your explanation in this scenario.

A simple update – ” a tweak to prevent remote login” – as per your description – surely would not modify 919 files which were all woocommerse files with all possible type you can think of – php, css, js, json, pot – of I think every single element of the plugin. This is not a typo – nine-hundred nineteen files have been modified. I’m not a developer but have sufficient understanding of plugin updates to know the difference between a TWEAK and a MAJOR UPDATE.

So – either something went very wrong with this ” tweak” update you are not telling me, OR this was in fact a major update which was not disclosed.

I don’t worry about few modified files in the plugin update, but this number of files with all possible types and for every single element of the plugin not related to the login process (like assets, product images, product tags, upsell etc) is not warranted and can’t be explained by this tweak update.

Could you please explain what has really happened.

Hi @magicpowers,

It’s important to note that updates can sometimes involve broader changes to the codebase for a variety of reasons. You can find more details here.

The update included improvements to the overall code structure, bug fixes, security enhancements, or other changes that improve the performance and stability of the plugin. These changes often involve multiple files, even if they are not directly related to the specific feature that was tweaked.

For further understanding, please check out the changelog here.

I hope this addresses your concerns.

Hi @ckadenge

OK, I finally found the problem.
I can see in your changelog on github that there was indeed a major update 9.3.0 released on Sep 10 – simply titled “Woocommerce” – involving changes to a large number of files.

That major update followed a minor update 9.2.3 released on Aug 26 – so there was a jump from 9.2.3 to 9.3.0.

That major update was followed two days later on Sep 12 by a minor update 9.3.1 titled: Tweak – Disable remote logging feature by default.

Here is the problem: I did NOT receive an alert to update Woocommerce to 9.3.0.

I received an alert: The Plugin “Woocommerce” needs an upgrade (9.2.3 ->9.3.1) – which clearly included the major update. – but that’s not the proper way of releasing a major update, concealed in the subsequent minor tweak. I can send you a screenshot of this email as a proof, if you claim that the major update 9.3.0 was altered to separately.

The update 9.3.1 is a Tweak which should not have modified over 900 Woocommerce files, and so naturally this has raised a red flag for me.

Now – if the major update did alert the users separately and I didn’t receive that email alert, then there is a problem with my email alerts, either by WordPress or the Wordfence plugin.

Could you please confirm whether the major update alert was issued to users separately or whether you postponed it and clumped together with the update to 9.3.1.

I will investigate this further depending on your reply, as I don’t like this sort of surprises and will always investigate all suspicious activity on my website.

thanks

Hi @magicpowers. Quoting from the WooCommerce 9.3.1: Dot Release announcement:

WooCommerce 9.3 was never set as the stable version

And I hope that explains why your site upgraded from 9.2.3 to 9.3.1 without receiving a notification for 9.3.0.

I received an alert: The Plugin “Woocommerce” needs an upgrade (9.2.3 ->9.3.1) – which clearly included the major update. – but that’s not the proper way of releasing a major update, concealed in the subsequent minor tweak.

If we spotted some issues during the canary release of a major update, we fix it immediately via a point release and then make that the stable version instead. I do realize that it could come across as concealing a minor tweak, but just wanted to point out the deeper reason behind the 9.2.3 to 9.3.1 jump.

• This reply was modified 2 months, 1 week ago by Rodel Calasagsag a11n.

hi @rodelgc

Ok, I get that. Thanks. A couple of final points:

I do realize that it could come across as concealing a minor tweak.
no, that’s the other way around. The major update was “hidden” i.e. was not visible, in the minor tweak.

WooCommerce 9.3 was never set as the stable version.

This may be so, but your plugin users other than developers and webmasters did not have this information. I don’t visit github every day or read every plugin’s update release notes. I have no time for that nor interest. I manually update my plugins once I receive an alert notification that an update is available, check the update details in the plugin changelog to determine whether I need to update it on my staging site first to pick up any potential conflicts, and fully rely on the information provided there.

I’m aware that it is not unusual for a major update to skip few versions as they often incorporate minor tweaks, patches etc. However, I have never seen before a minor update that includes a major update without any information about it in the update details, especially when the major update has modified 919 files which is very likely to be picked up by the users’ security plugins.

If you included this information in the changelog accessible via the plugin update link (learn more about this update), there would be no issue raising the red flag – how the heck a minor tweak has modified 919 files on my computer.

Communication is key. And also, it would be very helpful if you could please keep in mind your plugin’s regular users who don’t live in GitHub and rely on the information provided in the changelog linked to the updates.

thanks

Hi @magicpowers,

We agree with you, communication is oxygen! Thank you for the valuable feedback to improve our services.

Thanks!
-OP

@omarfpg

thanks! keep up the good work!