WordPress Release: 4.7.20

TL;DR

WordPress 4.7.20 is primarily a security and maintenance release that fixes an issue with the REST API where authors couldn't read their own password-protected posts. The release also includes significant improvements to the development and testing infrastructure, including migration from TravisCI to GitHub Actions, Docker environment updates, and better support for NodeJS 14.x. While most changes are behind-the-scenes for developers and contributors, the REST API fix improves functionality for content creators.

Highlight of the Release

• Fixed REST API issue allowing authors to read their own password-protected posts
• Migrated from TravisCI to GitHub Actions for automated testing
• Added Docker-based local WordPress development environment to the 4.7 branch
• Updated to support NodeJS 14.x LTS version
• Improved test reliability with better timeout handling

Migration Guide

No specific migration steps are required for this release. This is primarily a maintenance and security release that focuses on behind-the-scenes improvements to the development and testing infrastructure.

If you're a developer working with the 4.7 branch:

• You can now use the Docker-based local development environment
• Testing can be performed using GitHub Actions instead of TravisCI
• NodeJS 14.x is now supported for development tasks
• Package management now uses package-lock.json instead of npm-shrinkwrap.json

Upgrade Recommendations

This release contains a security fix for the REST API and significant improvements to the development infrastructure. It is recommended that all WordPress 4.7.x sites be updated to version 4.7.20 as soon as possible.

While the REST API fix primarily affects authors working with password-protected content, security updates should always be applied promptly to maintain site security. The development infrastructure improvements don't affect production sites but provide better tools for developers and contributors working with the 4.7 branch.

Bug Fixes

REST API Fix

• Fixed an issue where authors couldn't read their own password-protected posts through the REST API.

Test Suite Fixes

• Fixed an off-by-one error in pixel color checks for rotate and flip image tests.
• Changed to using PNG with single pixel to ensure errors are caught rather than lost in JPEG noise.
• Fixed an incorrect variable name in PDF tests that caused PHP errors when running the test suite with PDF rendering support.
• Improved skipTestOnTimeout() function to handle more types of timeouts in HTTP tests, such as "Resolving timed out" and "Connection timed out".

New Features

Development Environment Improvements

• Docker-based Local Environment: Backported the Docker-based local WordPress development environment to the 4.7 branch for easier and more consistent testing.
• GitHub Actions Support: Migrated from TravisCI to GitHub Actions for automated testing, with improved workflow configurations including:
  • Ability to trigger workflows manually with workflow_dispatch
  • Parallel execution for single site and multisite tests
  • Separate jobs for slow tests on PHP <= 5.6
  • Better branch and path scoping for pull request testing
• NodeJS 14.x Support: Updated dependencies to support the latest LTS version of NodeJS (14.x), allowing the same version to be used across all WordPress branches that receive security updates.
• Package Management: Replaced npm-shrinkwrap.json with package-lock.json for better dependency management.

Security Updates

REST API Security Fix

Fixed a security issue in the REST API where authors were unable to read their own password-protected posts. This ensures that content creators can properly access and manage their own protected content through the API while maintaining the security of password protection for other users.

Performance Improvements

Testing Performance Improvements

• Split single site and multisite tests into parallel jobs for faster test execution
• Separated slow tests into dedicated parallel jobs for PHP <= 5.6
• Improved test reliability with better timeout handling in HTTP tests
• Optimized GitHub Actions workflows for more efficient CI/CD processes

Impact Summary

WordPress 4.7.20 is primarily focused on security and development infrastructure improvements. The key security fix addresses an issue in the REST API where authors couldn't access their own password-protected posts, which improves functionality for content creators while maintaining security.

The majority of changes in this release are related to modernizing the development and testing infrastructure for the 4.7 branch. This includes migrating from TravisCI to GitHub Actions, adding Docker-based local development environment, supporting NodeJS 14.x, and improving test reliability. These changes make it easier for developers and contributors to work with and maintain the 4.7 branch, ensuring continued security updates can be delivered efficiently.

For most WordPress users, this update will be transparent with no visible changes to functionality. Content creators who use the REST API with password-protected posts will benefit from the improved access to their own content. The release is part of WordPress's ongoing commitment to maintaining security and providing a solid foundation for older branches that still receive security updates.