WordPress Release: 4.9.17

TL;DR

WordPress 4.9.17 Release

What's New: WordPress 4.9.17 is primarily a maintenance and security release that includes a fix allowing authors to read their own password-protected posts in the REST API. The release also includes significant improvements to the development and testing infrastructure, with updates to the Docker-based local environment, transition from TravisCI to GitHub Actions, and support for NodeJS 14.x.

Why it matters: This release ensures authors have proper access to their own content through the REST API while modernizing the development toolchain to maintain consistency across all supported WordPress branches.

Who should care: WordPress site owners should update for security reasons. WordPress developers and contributors will benefit from the improved testing infrastructure and development environment updates.

Highlight of the Release

• Fixed REST API issue allowing authors to read their own password-protected posts
• Transitioned from TravisCI to GitHub Actions for automated testing
• Added support for NodeJS 14.x in the 4.9 branch
• Backported Docker-based local WordPress development environment

Migration Guide

This release doesn't require any specific migration steps for end users or site administrators. Simply update to WordPress 4.9.17 through your dashboard or via manual update.

For Developers

If you're a developer working with the WordPress 4.9 branch:

1. Local Development Environment:

   • You can now use the Docker-based local environment for development
   • Follow the standard Docker setup instructions in the repository

2. Node.js Version:

   • The branch now supports Node.js 14.x
   • Update your local Node.js version if needed for development

3. Package Management:

   • The branch now uses package-lock.json instead of npm-shrinkwrap.json
   • Run npm install to update your dependencies

Upgrade Recommendations

Recommendation: All WordPress site owners should upgrade to version 4.9.17 as soon as possible.

Priority: Medium

This release contains a security fix related to the REST API authorization for password-protected posts. While this is not a critical vulnerability, it's recommended to update promptly to ensure proper access controls are in place.

The update process should be straightforward with no known compatibility issues. You can update through your WordPress dashboard or download the update from the WordPress.org website.

For sites on managed WordPress hosting, many providers will automatically apply this update.

Bug Fixes

• REST API Access Control: Fixed an issue where authors couldn't read their own password-protected posts through the REST API.

• Test Suite Improvements:

  • Fixed off-by-one error in pixel color checks for rotate and flip image tests
  • Changed to using PNG with single pixel to ensure errors are caught rather than lost in JPEG noise
  • Fixed an incorrect variable name in PDF tests that caused PHP errors when running with PDF rendering support
  • Added functionality to skip test_readme() if HTTP requests to secure.php.net or dev.mysql.com fail on timeout

New Features

Development Environment Improvements

• Docker-based Local Environment: Backported the Docker-based local WordPress development environment to the 4.9 branch for easier and more consistent testing.

• NodeJS 14.x Support: Updated the 4.9 branch to support the latest LTS version of NodeJS (14.x), allowing the same version to be used across all WordPress branches that receive security updates.

• GitHub Actions Integration: Transitioned from TravisCI to GitHub Actions for automated testing, with improvements including:

  • Workflow dispatch event support for scheduled test runs
  • Parallel jobs for single site and multisite tests
  • Separate parallel jobs for slow tests on PHP <= 5.6
  • Better branch and path scoping for pull request workflows

• Package Management Updates: Replaced npm-shrinkwrap.json with a package-lock.json file for better dependency management.

Security Updates

• REST API Authorization: Fixed a security issue where authors couldn't access their own password-protected posts through the REST API. This ensures proper authorization controls while maintaining appropriate content access for authors.

Performance Improvements

This release doesn't include specific performance improvements for end users. However, the development workflow has been optimized through:

• Improved testing infrastructure with parallel test jobs for faster feedback
• More efficient Docker-based local development environment
• Updated Node.js tooling for better build performance

Impact Summary

WordPress 4.9.17 is primarily a maintenance and security release that addresses an issue with the REST API where authors couldn't access their own password-protected posts. This fix ensures proper content access control while maintaining security.

The release also includes significant improvements to the development infrastructure, transitioning from TravisCI to GitHub Actions for automated testing and adding support for NodeJS 14.x. The Docker-based local development environment has been backported to the 4.9 branch, providing developers with a more consistent and reliable development experience across all supported WordPress branches.

These changes primarily benefit WordPress developers and contributors, while the security fix ensures content authors have appropriate access to their own protected content. Site administrators should update to maintain security best practices, though the security issue addressed is relatively targeted in scope.

This release represents WordPress's ongoing commitment to maintaining older branches with security updates and modernizing the development toolchain to ensure consistent quality across all supported versions.