LodiGame App download.REGISTER NOW GET FREE 888 PESOS REWARDS!

(@akihiroharai)

In version 2.4.2, plugin verification using WP-CLI fails due to lack of vendor directory and some files:

$ wp plugin verify-checksums facebook-auto-publish                                                                                                                   
+-----------------------+------------------------------------------------------------------------------------------------------+-----------------+                                  
| plugin_name           | file                                                                                                 | message         |                                  
+-----------------------+------------------------------------------------------------------------------------------------------+-----------------+                                  
| facebook-auto-publish | composer.json                                                                                        | File is missing |                                  
| facebook-auto-publish | composer.lock                                                                                        | File is missing |                                  
| facebook-auto-publish | vendor/autoload.php                                                                                  | File is missing |                                  
| facebook-auto-publish | vendor/composer/ClassLoader.php                                                                      | File is missing |                                  
| facebook-auto-publish | vendor/composer/LICENSE                                                                              | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_classmap.php                                                                | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_files.php                                                                   | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_namespaces.php                                                              | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_psr4.php                                                                    | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_real.php                                                                    | File is missing |                                  
| facebook-auto-publish | vendor/composer/autoload_static.php                                                                  | File is missing |                                  
| facebook-auto-publish | vendor/composer/installed.json                                                                       | File is missing |                                  
| facebook-auto-publish | vendor/facebook/graph-sdk/CODE_OF_CONDUCT.md                                                         | File is missing |                                  
| facebook-auto-publish | vendor/facebook/graph-sdk/LICENSE                                                                    | File is missing |                                  
| facebook-auto-publish | vendor/facebook/graph-sdk/composer.json                                                              | File is missing |                                  
| facebook-auto-publish | vendor/facebook/graph-sdk/phpcs.xml.dist                                                             | File is missing |
...

Could you please fix this?

Viewing 7 replies - 1 through 7 (of 7 total)

anjalixyzscripts
(@anjali94)

5 months, 4 weeks ago

Hi,

In version 2.4.2 of the plugin, we’ve made some significant updates, including replacing the Facebook SDK with wp_remote calls to interact directly with the Facebook API. As a result, the vendor directory and related files (such as composer.json and composer.lock) are no longer part of the plugin package.

The verification failure you’re seeing is due to this change, but rest assured, the plugin should function correctly without those files. If you’re experiencing any issues related to functionality or compatibility, please feel free to let us know.

Thanks and Regards,
Anjali

Thread Starter Akihiro Harai
(@akihiroharai)

5 months, 4 weeks ago

In my company, we use wp plugin verify-checksums to detect tampering. Incorrect checksums hide REAL tampering. We would like you to release a new version with correct checksums.

anjalixyzscripts
(@anjali94)

5 months, 4 weeks ago

The current version of the plugin, as published on www.ads-software.com , no longer includes the vendor directory, as we’ve switched to using wp_remote calls for the API. The correct files for this version are already in place.

If you’re still encountering checksum issues, it might be due to older files lingering in your installation.
I recommend performing a fresh installation of the plugin to ensure all files align with the latest release.

Also, please check if wp plugin verify-checksums might already have mechanisms to handle such structural changes.

Thread Starter Akihiro Harai
(@akihiroharai)

5 months, 3 weeks ago

The current version of the plugin, as published on www.ads-software.com , no longer includes the vendor directory, as we’ve switched to using wp_remote calls for the API.

That’s right. And the issue here is the checksums expect vendor directory to exist. That’s what the output of wp plugin verify-checksums says. Did you change the content of the version 2.4.2 AFTER its release?

anjalixyzscripts
(@anjali94)

5 months, 3 weeks ago

To clarify, the changes to remove the vendor directory and switch to wp_remote calls were part of the version 2.4.2 release from the beginning. No content was modified after its release.

The issue you’re seeing with wp plugin verify-checksums may stem from the fact that the checksums were generated based on the previous version that still included the vendor directory. However, the current version does not require those files anymore, which is why the plugin is flagged during the checksum verification.

Since the changes were intentional and part of the 2.4.2 release, I recommend ensuring that you’re using a clean installation of this version. The wp plugin verify-checksums tool may still expect the old directory structure, but the latest published version is correct as-is.
Thread Starter Akihiro Harai
(@akihiroharai)

5 months, 3 weeks ago
I investigated this issue with my colleague and found it to be quite complicated.

First, the release flow had an issue. It seems that version 2.4.2 was released following these steps:
1. A commit was made to trunk. At this point, the vendor directory had not been deleted: https://plugins.trac.www.ads-software.com/changeset/3051669/facebook-auto-publish
2. Since the readme.txt at step 1 listed Stable Tag: 2.4.2, the WordPress repository generated the checksums based on the contents of trunk.
3. Then, a commit, which removed vendor, was made to tags/2.4.2: https://plugins.trac.www.ads-software.com/changeset/3051723/facebook-auto-publish
4. When users (like us) download version 2.4.2, the contents of zip is based on the contents of tags/2.4.2 created in step 3, while the vendor directory remains in the checksum.
As a result, when running wp plugin verify-checksums, it throws an error because the vendor directory is missing. It seems that this issue cannot be avoided with the current version 2.4.2. In future updates, it may be necessary to take one of the following measures:
- Commit to both trunk and tags/2.4.3 simultaneously. This can be automated using GitHub Actions: https://github.com/10up/action-wordpress-plugin-deploy
- Ensure that the contents of the trunk and tags/2.4.3 are identical.
Second, the design of checksum feature itself has a problem. The plugin repository is created on top of SVN. Since SVN doesn’t have immutable tag feature, modifying a release AFTER publishing is not technically forbidden. And it makes the checksum feature strange. The current implementation of wp plugin verify-checksums outputs an error when a missing file is found. But there’s a discussion that that error shouldn’t be output. (https://meta.trac.www.ads-software.com/ticket/6275) The reason is that it is allowed to delete a file after release. That is, we cannot use checksum as integrity check. On the other hand, there are WordPress users and hosting services who currently use it as integrity checker just like us.
anjalixyzscripts
(@anjali94)

4 months, 3 weeks ago

Hello @akihiroharai ,

I apologize for the delay and appreciate your detailed feedback. I can confirm that we have now committed both the trunk and tag simultaneously without any changes, so the checksum issues should be resolved.

We will ensure this process is followed in future releases to avoid similar issues.

Thank you for your understanding.

Best regards,
Anjali Nair

Viewing 7 replies - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.