chore(deps-dev): bump wp-coding-standards/wpcs from 3.2.0 to 3.3.0

[dependabot]

Bumps wp-coding-standards/wpcs from 3.2.0 to 3.3.0.

Release notes

Sourced from wp-coding-standards/wpcs's releases.

3.3.0

Added

• Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props @​rodrigoprimo. #2559
• Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
• WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

• The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
• The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
• The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
• WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props @​rodrigoprimo. #2642
• README: updated testVersion recommendations for PHPCompatibility. Props @​johnjago. #2471
• Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
• All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
• Various housekeeping, including documentation and test improvements. Includes contributions by @​rodrigoprimo.

Deprecated

• The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

• wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props @​rodrigoprimo. #2613
• WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props @​rodrigoprimo. #2615
• WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props @​rodrigoprimo. #2570
• WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props @​rodrigoprimo. #2569
• WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props @​rodrigoprimo. #2605
• WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props @​rodrigoprimo. #2572
• WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
• WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props @​rodrigoprimo. #2630

Changelog

Sourced from wp-coding-standards/wpcs's changelog.

[3.3.0] - 2025-11-25

Added

• Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props [@​rodrigoprimo]. #2559
• Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
• WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

• The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
• The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
• The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
• WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
• WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props [@​rodrigoprimo]. #2642
• README: updated testVersion recommendations for PHPCompatibility. Props [@​johnjago]. #2471
• Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
• All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
• Various housekeeping, including documentation and test improvements. Includes contributions by [@​rodrigoprimo].

Deprecated

• The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

• wp_kses_allowed_html() from the list of escaping functions. #2566 This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props [@​rodrigoprimo]. #2613
• WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props [@​rodrigoprimo]. #2615
• WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props [@​rodrigoprimo]. #2570
• WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props [@​rodrigoprimo]. #2569
• WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props [@​rodrigoprimo]. #2605
• WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props [@​rodrigoprimo]. #2572
• WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
• WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props [@​rodrigoprimo]. #2630

#2471: WordPress/WordPress-Coding-Standards#2471 #2559: WordPress/WordPress-Coding-Standards#2559 #2563: WordPress/WordPress-Coding-Standards#2563 #2566: WordPress/WordPress-Coding-Standards#2566 #2569: WordPress/WordPress-Coding-Standards#2569 #2570: WordPress/WordPress-Coding-Standards#2570 #2572: WordPress/WordPress-Coding-Standards#2572 #2573: WordPress/WordPress-Coding-Standards#2573 #2605: WordPress/WordPress-Coding-Standards#2605 #2608: WordPress/WordPress-Coding-Standards#2608

... (truncated)

Commits

• 7795ec6 Merge pull request #2658 from WordPress/develop
• 5025d83 Merge pull request #2657 from WordPress/feature/changelog-3.3.0
• c2b30bf Merge pull request #2656 from WordPress/feature/update-minimum-wp-version
• 12e2936 Changelog for the release of WordPressCS 3.3.0
• da2054d Merge pull request #2654 from WordPress/feature/directdatabasequery-update-fu...
• 7629477 Merge pull request #2651 from WordPress/feature/use-phpcompatibility-10.0.0-a...
• 7f36b9d Update the minimum_wp_version to WP 6.6
• 76eeb61 Merge pull request #2653 from WordPress/feature/ghactions-improve-dont-run-on...
• 3ef3f9d Merge pull request #2652 from WordPress/feature/update-for-wp-6.9
• 2e47aad Merge pull request #2649 from WordPress/feature/ghactions-update-for-php-8.5-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
composer/dealerdirect/phpcodesniffer-composer-installer	1.2.0	Unknown	Unknown
composer/phpcsstandards/phpcsextra	1.5.0	Unknown	Unknown
composer/phpcsstandards/phpcsutils	1.2.1	Unknown	Unknown
composer/squizlabs/php_codesniffer	3.13.5	Unknown	Unknown
composer/wp-coding-standards/wpcs	3.3.0	🟢 6.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• composer.lock