Skip to content

chore: update deps, dependabot, and bump version #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
justlevine merged 2 commits into from
Jan 28, 2026
Merged

chore: update deps, dependabot, and bump version #64

justlevine merged 2 commits into from
Jan 28, 2026

Conversation

@justlevine
Copy link
Collaborator

@justlevine justlevine commented Jan 27, 2026

What

  1. Updates deps to their latest compatible versions.
  2. Updates dependabot.yml to a sensible config.
  3. Backports Encryptor class
  4. Drops beta from the version.

Why

Related Issue(s):

How

Testing Instructions

Screenshots

Additional Info

Checklist

  • I have read the Contribution Guidelines.
  • I have read the Development Guidelines.
  • My code is tested to the best of my abilities.
  • My code passes all lints (ESLint etc.).
  • My code has detailed inline documentation.
  • I have updated the project documentation as needed.

Copilot AI review requested due to automatic review settings January 27, 2026 20:15
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to update dependencies and remove the beta designation from version 1.1.0, while also backporting a refactored Encryptor class. However, the PR contains multiple critical issues that prevent it from being safely merged.

Changes:

  • Updates version from 1.1.0-beta.1 to 1.1.0 across multiple files
  • Updates Dependabot configuration with new grouping and scheduling rules
  • Backports a refactored Encryptor class that changes encryption from AES-256-GCM to AES-256-CTR
  • Updates several composer and npm dependencies (though some are downgrades rather than upgrades)

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
readme.txt Updates stable tag to 1.1.0 and replaces inline changelog with link to GitHub
package.json Updates npm dependencies, includes downgrades for @wordpress/components (31.0.0→30.9.0) and eslint (9.39.2→8.57.1)
oneupdate.php Updates plugin version to 1.1.0
inc/Encryptor.php Complete rewrite changing from AES-GCM to AES-CTR encryption with no migration path
composer.lock Updates PHP dependencies including downgrades (plugin-check 1.8.0→1.6.0)
composer.json Downgrades plugin-check requirement from ~1.8.0 to ~1.6.0
CHANGELOG.md Updates version header to 1.1.0
.github/dependabot.yml Adds invalid configuration options (cooldown, directories) and removes several package ecosystems

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

inc/Encryptor.php
Comment on lines +100 to +101
// If you're here, you're either not on a live site or have a serious security issue.
return 'this-is-not-a-real-key-change-me';
Copy link

Copilot AI Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fallback encryption key "this-is-not-a-real-key-change-me" is a significant security risk. If ONEPRESS_ENCRYPTION_KEY and LOGGED_IN_KEY are not defined (which could happen in development environments or misconfigured installations), all encrypted data would be protected only by this hardcoded, publicly-known key. This completely defeats the purpose of encryption. Consider throwing an exception or refusing to encrypt/decrypt if proper keys are not configured, rather than silently using an insecure fallback.

Copilot uses AI. Check for mistakes.
@justlevine justlevine requested a review from up1512001 January 27, 2026 21:57
up1512001
up1512001 previously approved these changes Jan 28, 2026
View reviewed changes
@justlevine justlevine merged commit 0a5ddf8 into develop Jan 28, 2026
9 checks passed
@justlevine justlevine deleted the release/1.1.0 branch January 28, 2026 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mrrobot47 mrrobot47 mrrobot47 approved these changes

@up1512001 up1512001 up1512001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@justlevine @mrrobot47 @up1512001