Was a forced update to 7.4.2 pushed out?

  • Resolved hastibe

    (@hastibe)


    1 year, 3 months ago

    I received an email just now from my website that WooCommerce Stripe Gateway has “automatically updated to their latest version on you site,” but I have auto-updates disabled for this plugin. Was there a forced update to 7.4.2 pushed out? If so, what was the reason?

    Looking forward to hearing back–thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Yuki K a11n.

    (@yukikatayama)

    Automattic Happiness Engineer

    Thank you all for reporting this!

    Yes, there was an update to Stripe version 7.4.1. Official communication of this update is planned to go out later this week, however, to answer the question here, the update was rolled out on a proactive basis to enhance the security of the WooCommerce Stripe plugin. There have been no known exploits of the vulnerability we are patching, and we have no evidence of any data being compromised.

    Do let me know if you have any further questions!

    Thread Starter hastibe

    (@hastibe)

    @yukikatayama — thank you for responding, and please don’t do this again without communicating what happened as part of the forced update.

    It’s not okay to change users’ websites without at least communicating why to those users at the same time, regardless of the reason (and good intentions).

    That the update was for a security enhancement should also be clearly indicated in the changelog for 7.4.2; otherwise you have a situation where users don’t know that 7.4.1 is potentially vulnerable and may rollback or otherwise disregard updating on sites where your forced update failed.

    Plugin Support Gabriel – a11n

    (@gabrielfuentes)

    Hello there, and thanks a lot for voicing your concerns!

    We truly acknowledge how vital clarity and communication are, particularly when alterations impacting your websites take place.

    When it comes to security enhancement updates, it is best practice to update the plugin before releasing any communication. This is to prevent potential exploitation of the identified vulnerability if the information becomes public beforehand. In essence, this practice is aimed at fortifying your site’s security before any actions.

    In regards to the changelog, I can see there are mentions of everything that was done in order to correct this.

    We sincerely appreciate your feedback and understanding.

    Best,

    Thread Starter hastibe

    (@hastibe)

    @gabrielfuentes — I do understand about not releasing communication about a vulnerability (that isn’t known to be actively being exploited, at least) before providing an update, but I want to restate what I expressed above that it is important to communicate to users why an update is being forced at the time the update is made.

    For instance, if nothing else, your changelog should clearly indicate that a security vulnerability was fixed (check out the changelog from update 2.6.7 and the note currently above update 2.6.9 provided here as a good example) for clarity and transparency.

    Plugin Support Gabriel – a11n

    (@gabrielfuentes)

    I appreciate you taking the time to share your insights, @hastibe. I’ve grasped your viewpoint and I’ll be sure to pass on your feedback.

    We truly value your input. Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Was a forced update to 7.4.2 pushed out?’ is closed to new replies.