WordPress Release: 3.7.36

TL;DR

WordPress 3.7.36 Release

This maintenance release focuses primarily on modernizing the development infrastructure for the 3.7 branch. It updates build and test tools to support modern NodeJS (14.x), introduces Docker-based local development, and migrates automated testing from TravisCI to GitHub Actions. The release also includes an important security improvement to PHPMailer's attachment handling. While most changes are developer-facing, the PHPMailer update enhances security for all WordPress 3.7 installations.

Highlight of the Release

• Security improvement to PHPMailer's attachment handling
• Migration from TravisCI to GitHub Actions for automated testing
• Introduction of Docker-based local WordPress development environment
• Support for NodeJS 14.x LTS in the 3.7 branch
• Improved test reliability with better timeout handling

Migration Guide

No migration steps are required for this release. The changes are primarily related to development infrastructure and do not affect the WordPress API or user-facing functionality.

For developers working with the 3.7 branch:

• If you were using TravisCI for testing, you should now use GitHub Actions
• The local development environment now supports Docker
• Build tools now require NodeJS 14.x

Upgrade Recommendations

This release contains a security improvement to PHPMailer's attachment handling. While WordPress 3.7 is no longer officially supported with security updates, this courtesy update is recommended for all sites still running WordPress 3.7.

Recommendation: Update to WordPress 3.7.36 as soon as possible if you're still running WordPress 3.7. However, for optimal security and features, upgrading to the latest supported WordPress version is strongly encouraged.

Bug Fixes

Test Reliability Improvements

• Enhanced Timeout Handling: Improved skipTestOnTimeout() function to handle more types of timeouts in HTTP tests, including "Resolving timed out" and "Connection timed out" scenarios
• SVN Merge Info: Corrected svn:mergeinfo for the 3.7 branch to properly track merged changes

New Features

Development Environment Improvements

• Docker-based Local Environment: Introduced Docker-based local WordPress development environment to the 3.7 branch, making it consistent with newer WordPress versions
• NodeJS 14.x Support: Updated build tools to support the latest LTS version of NodeJS (14.x)
• GitHub Actions Workflows: Migrated automated testing from TravisCI to GitHub Actions with several improvements:
  • Workflow dispatch event support for scheduled test runs
  • Parallel jobs for single site and multisite tests
  • Separate parallel jobs for slow tests on PHP <= 5.6
  • Better branch and path scoping for pull request workflows
• Package Management: Added package-lock.json for more reliable dependency management

Security Updates

PHPMailer Security Improvement

• Enhanced Attachment Handling: Improved attachment handling in PHPMailer to address potential security concerns
• This change helps ensure safer email operations when attachments are used with WordPress mail functions

Performance Improvements

No specific performance improvements were included in this release. The changes were primarily focused on development infrastructure, testing tools, and security.

Impact Summary

WordPress 3.7.36 is primarily a maintenance and security release that modernizes the development infrastructure for the 3.7 branch while providing a security improvement to PHPMailer's attachment handling.

The most significant impact is for developers working with the 3.7 branch, who now have access to modern development tools including Docker-based local environments and GitHub Actions for automated testing. The transition from TravisCI to GitHub Actions represents a major shift in how testing is conducted for this branch.

For site administrators and end users, the PHPMailer security improvement enhances the safety of email operations, particularly when attachments are involved. This is an important security update, even though WordPress 3.7 is no longer officially supported.

Overall, this release demonstrates WordPress's commitment to providing courtesy security updates even to older versions, while also ensuring that developers working with these older branches have access to modern tools.