WordPress Release: 5.6.5

TL;DR

WordPress 5.6.5 brings important security updates and bug fixes

This maintenance release focuses on security improvements by updating the Lodash dependency to version 4.17.21 to address vulnerabilities, fixes a JSONP REST API handler issue, and enhances the block editor security by disabling certain rich text attributes. The update is recommended for all WordPress 5.6.x installations to maintain site security and stability.

Highlight of the Release

• Updated Lodash library to version 4.17.21 to address security vulnerabilities
• Fixed JSONP REST API handler to improve security
• Disabled certain attributes for rich text to enhance block editor security
• Implemented hashed/deterministic moduleIDs in webpack configuration for more consistent builds

Migration Guide

No significant migration steps are required for this maintenance release. WordPress 5.6.5 is a security and bug fix release that should be compatible with all plugins and themes that work with WordPress 5.6.

If you're a developer who has extensively customized the rich text functionality in the block editor, you may want to review your code to ensure it doesn't rely on any of the now-disabled attributes.

Upgrade Recommendations

This release contains important security fixes, so upgrading is strongly recommended for all sites running WordPress 5.6.x.

• Priority: High (security release)
• Timing: Update as soon as possible
• Preparation: As always, back up your site before updating
• Compatibility: No major compatibility issues have been reported

You can update through your WordPress dashboard, or download the release directly from the WordPress.org website.

Bug Fixes

REST API Improvements

• JSONP Handler Fix: Modified the REST API to only use _jsonp_wp_die_handler() for JSONP REST API requests, ensuring proper error handling and preventing potential issues with non-JSONP requests.

Block Editor Fixes

• Rich Text Security: Disabled certain attributes for rich text in the block editor to prevent potential security issues. This change helps maintain the integrity of content while protecting against possible vulnerabilities.

New Features

Enhanced Build System

• Deterministic Webpack Builds: Implemented hashed/deterministic moduleIDs in the webpack configuration, resulting in more consistent and predictable builds. This change helps developers by creating more reliable asset files across different environments.

Security Updates

• Lodash Library Update: Updated the Lodash JavaScript library from previous versions to 4.17.21 to address known security vulnerabilities. Lodash is widely used throughout WordPress core and this update patches several CVEs (Common Vulnerabilities and Exposures) that could potentially be exploited.

• Rich Text Attribute Restrictions: Enhanced security in the block editor by disabling certain attributes for rich text that could potentially be used in malicious ways.

• JSONP Handler Improvements: Improved the security of the REST API by ensuring that the JSONP die handler is only used for actual JSONP requests, preventing potential misuse in other contexts.

Performance Improvements

Build Performance

• Webpack Configuration: The implementation of hashed/deterministic moduleIDs in the webpack configuration not only improves build consistency but can also lead to better caching performance for JavaScript assets.

Impact Summary

WordPress 5.6.5 is primarily a security-focused maintenance release that addresses several potential vulnerabilities without introducing new features or changing existing functionality. The update to Lodash 4.17.21 patches known security issues in this widely-used JavaScript library, while the changes to the JSONP handler and rich text attributes further enhance WordPress's security posture.

For most users, this update will be seamless with no visible changes to the WordPress experience. Developers should note the technical improvements, particularly the webpack configuration changes that introduce more deterministic builds.

This release demonstrates WordPress's ongoing commitment to security maintenance across all supported versions, ensuring that even users who haven't upgraded to the latest major version can maintain a secure website.