WordPress Release: 5.4.7

TL;DR

WordPress 5.4.7 brings important security updates and bug fixes

This maintenance release focuses on security improvements by updating the Lodash dependency to version 4.17.21 to address vulnerabilities, fixes a JSONP REST API handler issue, and improves the block editor by disabling certain attributes for rich text. While this is a minor update, it contains important security patches that make upgrading recommended for all WordPress 5.4.x users.

Highlight of the Release

• Updated Lodash dependency to version 4.17.21 to address security vulnerabilities
• Fixed JSONP REST API request handling to use the appropriate handler function
• Improved block editor security by disabling certain attributes for rich text
• Enhanced build process with hashed/deterministic moduleIDs in webpack configuration

Migration Guide

No specific migration steps are required for this maintenance release. This is a standard security and bug fix update that should be applied through the normal WordPress update process.

To update to WordPress 5.4.7:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard (recommended)
3. Alternatively, download the update from wordpress.org and perform a manual update

No database schema changes or breaking changes are included in this release.

Upgrade Recommendations

Priority: High

All WordPress 5.4.x users should upgrade to version 5.4.7 as soon as possible due to the security fixes included in this release, particularly the Lodash library update addressing known vulnerabilities.

This is a maintenance and security release that poses minimal risk of compatibility issues. The update process should be straightforward and is unlikely to affect existing functionality on most sites.

For sites on WordPress 5.4.x, this update is strongly recommended. For sites on earlier versions, upgrading to the latest supported WordPress version would be preferable for maximum security coverage.

Bug Fixes

REST API Handling Fix

• JSONP Request Handler: Fixed an issue with REST API JSONP requests by ensuring they specifically use the _jsonp_wp_die_handler() function, improving the handling of these particular API requests.

Block Editor Improvements

• Rich Text Attributes: Disabled certain attributes for rich text in the block editor to prevent potential issues and improve security.

New Features

Build System Improvements

• Deterministic Module IDs: Implemented hashed/deterministic moduleIDs in the webpack configuration, which helps with build consistency and caching optimization.

While this release is primarily focused on security and bug fixes rather than new features, the build system improvements represent a meaningful enhancement to the WordPress development infrastructure.

Security Updates

Dependency Updates

• Lodash Library: Updated the Lodash JavaScript library from previous version to 4.17.21 to address known security vulnerabilities. This update patches multiple security issues in the library that could potentially be exploited.

Editor Security

• Rich Text Protection: Disabled certain attributes for rich text in the block editor to prevent potential security issues related to content handling.

Performance Improvements

Build Optimization

• Webpack Configuration: The implementation of hashed/deterministic moduleIDs in the webpack configuration may provide slight performance benefits through improved caching and more consistent builds.

This release doesn't contain major performance-focused changes, but the build system improvements contribute to overall code efficiency.

Impact Summary

WordPress 5.4.7 is a security-focused maintenance release that addresses important vulnerabilities while making minimal changes to functionality. The update to Lodash 4.17.21 patches known security issues in this widely-used dependency. The JSONP REST API handler fix improves request handling reliability, while the block editor changes enhance security by restricting certain rich text attributes.

This release represents WordPress's ongoing commitment to security maintenance even for older branch versions. The changes are targeted and specific, with minimal risk of disruption to existing sites. The webpack configuration improvements, while not user-facing, contribute to better build processes for developers working with WordPress code.

Overall, this is a necessary security update that should be applied promptly, but users should expect little to no visible changes to their WordPress experience after updating.