Releases: squizlabs/PHP_CodeSniffer
2.9.1
3.0.0
This is the first stable release of the 3.0 branch, and is a large refactoring of the code base. It breaks backwards compatibility for all custom sniffs and custom reports. An upgrade guide for sniff and report developers is available here: https://github.com/squizlabs/PHP_CodeSniffer/wiki/Version-3.0-Upgrade-Guide
Note: If you only use the built-in coding standards (such as PEAR or PSR2), or you have a custom ruleset.xml file that only makes use of the sniffs and reports distributed with PHP_CodeSniffer, you do not need to make any changes to begin using the 3.0.0 version.
There are no future planned releases for the 2.x branch, but there may still be additional 2.9.x versions released for a time due to the number of changes required to upgrade custom sniffs for 3.0. The intention is to limit 2.9.x releases to serious bug and security fixes only.
Changes since 3.0.0RC4
- Added an --ignore-annotations command line argument to ignore all @codingstandards annotations in code comments (request #811)
- This allows you to force errors to be shown that would otherwise be ignored by code comments
- Also stop files being able to change sniff properties mid way through processing
- An error is now reported if no sniffs were registered to be run (request #1129)
- The autoloader will now search for files inside the directory of any loaded coding standard
- This allows autoloading of any file inside a custom coding standard without manually requiring them
- Ensure your namespace begins with your coding standard's directory name and follows PSR-4
- e.g., StandardName\Sniffs\CategoryName\AbstractHelper or StandardName\Helpers\StringSniffHelper
- Fixed an error where STDIN was sometimes not checked when using the --parallel CLI option
- The is_closure index has been removed from the return value of File::getMethodProperties()
- This value was always false becasue T_FUNCTION tokens are never closures
- Closures have a token type of T_CLOSURE
- The File::isAnonymousFunction() method has been removed
- This function always returned false because it only accepted T_FUNCTION tokens, which are never closures
- Closures have a token type of T_CLOSURE
- Includes all changes from the 2.9.0 release
- Fixed bug #834 : PSR2.ControlStructures.SwitchDeclaration does not handle if branches with returns
- Thanks to Fabian Wiget for the patch
Changes since 2.x
For a full list of changes from the 2.x version, please review the following changelogs:
https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/3.0.0a1
https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/3.0.0RC1
https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/3.0.0RC2
https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/3.0.0RC3
https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/3.0.0RC4
2.9.0
- Added Generic.Debug.ESLint sniff to run ESLint over JS files and report errors
- Set eslint path using: phpcs --config-set eslint_path /path/to/eslint
- Thanks to Ryan McCue for the contribution
- T_POW is now properly considered an arithmetic operator, and will be checked as such
- Thanks to Juliette Reinders Folmer for the patch
- T_SPACESHIP and T_COALESCE are now properly considered comparison operators, and will be checked as such
- Thanks to Juliette Reinders Folmer for the patch
- Generic.PHP.DisallowShortOpenTag now warns about possible short open tags even when short_open_tag is set to OFF
- Thanks to Juliette Reinders Folmer for the patch
- Generic.WhiteSpace.DisallowTabIndent now finds and fixes inproper use of spaces anywhere inside the line indent
- Previously, only the first part of the indent was used to determine the indent type
- Thanks to Juliette Reinders Folmer for the patch
- PEAR.Commenting.ClassComment now supports checking of traits as well as classes and interfaces
- Thanks to Juliette Reinders Folmer for the patch
- Squiz.Commenting.FunctionCommentThrowTag now supports re-throwing exceptions (request #946)
- Thanks to Samuel Levy for the patch
- Squiz.PHP.DisallowMultipleAssignments now ignores PHP4-style member var assignments
- Thanks to Juliette Reinders Folmer for the patch
- Squiz.WhiteSpace.FunctionSpacing now ignores spacing above functions when they are preceded by inline comments
- Stops conflicts between this sniff and comment spacing sniffs
- Squiz.WhiteSpace.OperatorSpacing no longer checks the equal sign in declare statements
- Thanks to Juliette Reinders Folmer for the patch
- Added missing error codes for a couple of sniffs so they can now be customised as normal
- Fixed bug #1266 : PEAR.WhiteSpace.ScopeClosingBrace can throw an error while fixing mixed PHP/HTML
- Fixed bug #1364 : Yield From values are not recognised as returned values in Squiz FunctionComment sniff
- Fixed bug #1373 : Error in tab expansion results in white-space of incorrect size
- Thanks to Mark Clements for the patch
- Fixed bug #1381 : Tokenizer: derefencing incorrectly identified as short array
- Fixed bug #1387 : Squiz.ControlStructures.ControlSignature does not handle alt syntax when checking space after closing brace
- Fixed bug #1392 : Scope indent calculated incorrectly when using array destructuring
- Fixed bug #1394 : integer type hints appearing as TypeHintMissing instead of ScalarTypeHintMissing
- PHP 7 type hints were also being shown when run under PHP 5 in some cases
- Fixed bug #1405 : Squiz.WhiteSpace.ScopeClosingBrace fails to fix closing brace within indented PHP tags
- Fixed bug #1421 : Ternaries used in constant scalar expression for param default misidentified by tokenizer
- Fixed bug #1431 : PHPCBF can't fix short open tags when they are not followed by a space
- Thanks to Gonçalo Queirós for the patch
- Fixed bug #1432 : PHPCBF can make invalid fixes to inline JS control structures that make use of JS objects
3.0.0RC4
Security Advisory
- This release contains a fix for a security advisory related to the improper handling of shell commands
- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
- e.g., you run PHPCS over libraries that you did not write
- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
- e.g., you allow external tool paths to be set by user-defined values
- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
- The diff report
- The notify-send report
- The Generic.PHP.Syntax sniff
- The Generic.Debug.CSSLint sniff
- The Generic.Debug.ClosureLinter sniff
- The Generic.Debug.JSHint sniff
- The Squiz.Debug.JSLint sniff
- The Squiz.Debug.JavaScriptLint sniff
- The Zend.Debug.CodeAnalyzer sniff
- Thanks to Klaus Purer for the report
Other Changes
- The indent property of PEAR.Classes.ClassDeclaration has been removed
- Instead of calculating the indent of the brace, it just ensures the brace is aligned with the class keyword
- Other sniffs can be used to ensure the class itself is indented correctly
- Invalid exclude rules inside a ruleset.xml file are now ignored instead of potentially causing out of memory errors
- Using the -vv command line argument now also shows the invalid exclude rule as XML
- Includes all changes from the 2.8.1 release
- Fixed bug #1333 : The new autoloader breaks some frameworks with custom autoloaders
- Fixed bug #1334 : Undefined offset when explaining standard with custom sniffs
2.8.1
Security Advisory
- This release contains a fix for a security advisory related to the improper handling of shell commands
- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
- e.g., you run PHPCS over libraries that you did not write
- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
- e.g., you allow external tool paths to be set by user-defined values
- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
- The diff report
- The notify-send report
- The Generic.PHP.Syntax sniff
- The Generic.Debug.CSSLint sniff
- The Generic.Debug.ClosureLinter sniff
- The Generic.Debug.JSHint sniff
- The Squiz.Debug.JSLint sniff
- The Squiz.Debug.JavaScriptLint sniff
- The Zend.Debug.CodeAnalyzer sniff
- Thanks to Klaus Purer for the report
Other Changes
- The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
- PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
- PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
- Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
- It would previously report that only one argument is allowed per line
- Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
- Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
- Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
- Thanks to Juliette Reinders Folmer for the patch
- Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
- As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
- Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
- Fixed bug #1340 : STDIN file contents not being populated in some cases
- Thanks to David Biňovec for the patch
- Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
- Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
- Thanks to Algirdas Gurevicius for the patch
- Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
- Thanks to Algirdas Gurevicius for the patch
- Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
- Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop
3.0.0RC3
- Added support for ES6 class declarations
- Previously, these class were tokenized as JS objects but are now tokenzied as normal T_CLASS structures
- Added support for ES6 method declarations, where the "function" keyword is not used
- Previously, these methods were tokenized as JS objects (fixes bug #1251)
- The name of the ES6 method is now assigned the T_FUNCTION keyword and treated like a normal function
- Custom sniffs that support JS and listen for T_FUNCTION tokens can't assume the token represents the word "function"
- Check the contents of the token first, or use $phpcsFile->getDeclarationName($stackPtr) if you just want its name
- There is no change for custom sniffs that only check PHP code
- PHPCBF exit codes have been changed so they are now more useful (request #1270)
- Exit code 0 is now used to indicate that no fixable errors were found, and so nothing was fixed
- Exit code 1 is now used to indicate that all fixable errors were fixed correctly
- Exit code 2 is now used to indicate that PHPCBF failed to fix some of the fixable errors it found
- Exit code 3 is now used for general script execution errors
- Added PEAR.Commenting.FileComment.ParamCommentAlignment to check alignment of multi-line param comments
- Includes all changes from the 2.8.0 release
- Fixed an issue where excluding a file using a @codingStandardsIgnoreFile comment would produce errors
- For PHPCS, it would show empty files being processed
- For PHPCBF, it would produce a PHP error
- Fixed bug #1233 : Can't set config data inside ruleset.xml file
- Fixed bug #1241 : CodeSniffer.conf not working with 3.x PHAR file
2.8.0
- The Internal.NoCodeFound error is no longer generated for content sourced from STDIN
- This should stop some Git hooks generating errors because PHPCS is trying to process the refs passed on STDIN
- Squiz.Commenting.DocCommentAlignment now checks comments on class properties defined using the VAR keyword
- Thanks to Klaus Purer for the patch
- The getMethodParameters() method now recognises "self" as a valid type hint
- The return array now contains a new "content" index containing the raw content of the param definition
- Thanks to Juliette Reinders Folmer for the patch
- The getMethodParameters() method now supports nullable types
- The return array now contains a new "nullable_type" index set to true or false for each method param
- Thanks to Juliette Reinders Folmer for the patch
- The getMethodParameters() method now supports closures
- Thanks to Juliette Reinders Folmer for the patch
- Added more guard code for JS files with syntax errors (request #1271 and request #1272)
- Added more guard code for CSS files with syntax errors (request #1304)
- PEAR.Commenting.FunctionComment fixers now correctly handle multi-line param comments
- AbstractVariableSniff now supports anonymous classes
- Thanks to Juliette Reinders Folmer for the patch
- Generic.NamingConventions.ConstructorName and PEAR.NamingConventions.ValidVariable now support anonymous classes
- Generic.NamingConventions.CamelCapsFunctionName and PEAR.NamingConventions.ValidFunctionName now support anonymous classes
- Thanks to Juliette Reinders Folmer for the patch
- Generic.CodeAnalysis.UnusedFunctionParameter and PEAR.Functions.ValidDefaultValue now support closures
- Thanks to Juliette Reinders Folmer for the patch
- PEAR.NamingConventions.ValidClassName and Squiz.Classes.ValidClassName now support traits
- Thanks to Juliette Reinders Folmer for the patch
- Generic.Functions.FunctionCallArgumentSpacing now supports closures other PHP-provided functions
- Thanks to Algirdas Gurevicius for the patch
- Fixed an error where a nullable type character was detected as an inline then token
- A new T_NULLABLE token has been added to represent the ? nullable type character
- Thanks to Jaroslav Hanslík for the patch
- Squiz.WhiteSpace.SemicolonSpacing no longer removes comments while fixing the placement of semicolons
- Thanks to Algirdas Gurevicius for the patch
- Fixed bug #1230 : JS tokeniser incorrectly tokenises bitwise shifts as comparison
- Thanks to Ryan McCue for the patch
- Fixed bug #1237 : Uninitialized string offset in PHP Tokenizer on PHP 5.2
- Fixed bug #1239 : Warning when static method name is 'default'
- Fixed bug #1240 : False positive for function names starting with triple underscore
- Thanks to Juliette Reinders Folmer for the patch
- Fixed bug #1245 : SELF is not recognised as T_SELF token in: return new self
- Fixed bug #1246 : A mix of USE statements with and without braces can cause the tokenizer to mismatch brace tokens
- Thanks to Michał Bundyra for the patch
- Fixed bug #1249 : GitBlame report requires a .git directory
- Fixed bug #1252 : Squiz.Strings.ConcatenationSpacing fix creates syntax error when joining a number to a string
- Fixed bug #1253 : Generic.ControlStructures.InlineControlStructure fix creates syntax error fixing if-try/catch
- Fixed bug #1255 : Inconsistent indentation check results when ELSE on new line
- Fixed bug #1257 : Double dash in CSS class name can lead to "Named colours are forbidden" false positives
- Fixed bug #1260 : Syntax errors not being shown when error_prepend_string is set
- Thanks to Juliette Reinders Folmer for the patch
- Fixed bug #1264 : Array return type hint is sometimes detected as T_ARRAY_HINT instead of T_RETURN_TYPE
- Thanks to Jaroslav Hanslík for the patch
- Fixed bug #1265 : ES6 arrow function raises unexpected operator spacing errors
- Fixed bug #1267 : Fixer incorrectly handles filepaths with repeated dir names
- Thanks to Sergey Ovchinnikov for the patch
- Fixed bug #1276 : Commenting.FunctionComment.InvalidReturnVoid conditional issue with anonymous classes
- Fixed bug #1277 : Squiz.PHP.DisallowMultipleAssignments.Found error when var assignment is on the same line as an open tag
- Fixed bug #1284 : Squiz.Arrays.ArrayBracketSpacing.SpaceBeforeBracket false positive match for short list syntax
3.0.0RC2
- Fixed an undefined var name error that could be produced while running PHPCBF
- Made the Runner class easier to use with wrapper scripts
- Full usage information is no longer printed when a usage error is encountered (request #1186)
- Makes it a lot easier to find and read the error message that was printed
- Includes all changes from the 2.7.1 release
- Fixed bug #1167 : 3.0.0RC1 PHAR does not work with PEAR standard
- Fixed bug #1208 : Excluding files doesn't work when using STDIN with a filename specified
2.7.1
- Squiz.ControlStructures.ControlSignature.SpaceAfterCloseParenthesis fix now removes unnecessary whitespace
- Squiz.Formatting.OperatorBracket no longer errors for negative array indexes used within a function call
- Squiz.PHP.EmbeddedPhp no longer expects a semicolon after statements that are only opening a scope
- Fixed a problem where the content of T_DOC_COMMENT_CLOSE_TAG tokens could sometimes be (boolean) false
- Developers of custom standards with custom test runners can now have their standards ignored by the built-in test runner
- Set the value of an environment variable called PHPCS_IGNORE_TESTS with a comma separated list of your standard names
- Thanks to Juliette Reinders Folmer for the patch
- The unit test runner now loads the test sniff outside of the standard's ruleset so that exclude rules do not get applied
- This may have caused problems when testing custom sniffs inside custom standards
- Also makes the unit tests runs a little faster
- The SVN pre-commit hook now works correctly when installed via composer
- Thanks to Sergey for the patch
- Fixed bug #1135 : PEAR.ControlStructures.MultiLineCondition.CloseBracketNewLine not detected if preceded by multiline function call
- Fixed bug #1138 : PEAR.ControlStructures.MultiLineCondition.Alignment not detected if closing brace is first token on line
- Fixed bug #1141 : Sniffs that check EOF newlines don't detect newlines properly when the last token is a doc block
- Fixed bug #1150 : Squiz.Strings.EchoedStrings does not properly fix bracketed statements
- Fixed bug #1156 : Generic.Formatting.DisallowMultipleStatements errors when multiple short echo tags are used on the same line
- Thanks to Nikola Kovacs for the patch
- Fixed bug #1161 : Absolute report path is treated like a relative path if it also exists within the current directory
- Fixed bug #1170 : Javascript regular expression literal not recognized after comparison operator
- Fixed bug #1180 : Class constant named FUNCTION is incorrectly tokenized
- Fixed bug #1181 : Squiz.Operators.IncrementDecrementUsage.NoBrackets false positive when incrementing properties
- Thanks to Jürgen Henge-Ernst for the patch
- Fixed bug #1188 : Generic.WhiteSpace.ScopeIndent issues with inline HTML and multi-line function signatures
- Fixed bug #1190 : phpcbf on if/else with trailing comment generates erroneous code
- Fixed bug #1191 : Javascript sniffer fails with function called "Function"
- Fixed bug #1203 : Inconsistent behavior of PHP_CodeSniffer_File::findEndOfStatement
- Fixed bug #1218 : CASE conditions using class constants named NAMESPACE/INTERFACE/TRAIT etc are incorrectly tokenized
- Fixed bug #1221 : Indented function call with multiple closure arguments can cause scope indent error
- Fixed bug #1224 : PHPCBF fails to fix code with heredoc/nowdoc as first argument to a function
3.0.0RC1
- Progress output now shows E and W in green when a file has fixable errors or warnings
- Only supported if colors are enabled
- PHPCBF no longer produces verbose output by default (request #699)
- Use the -v command line argument to show verbose fixing output
- Use the -q command line argument to disable verbose information if enabled by default
- PHPBF now prints a summary report after fixing files
- Report shows files that were fixed, how many errors were fixed, and how many remain
- PHPCBF now supports the -p command line argument to print progress information
- Prints a green F for files where fixes occurred
- Prints a red E for files that could not be fixed due to an error
- Use the -q command line argument to disable progress information if enabled by default
- Running unit tests using --verbose no longer throws errors
- Fixed shell error appearing on some systems when trying to find executable paths
- Includes all changes from the 2.7.0 release