WordPressCS 3.0.0 was released this week with what its maintainer, Juliette Reinders Folmer, says are significant changes to improve the accuracy, performance, stability, and maintainability of all sniffs, and its handling of modern PHP. The project is a collection of PHP_CodeSniffer rules (sniffs) that are used to validate code developed for WordPress, helping developers meet the requirements of the official WordPress Coding Standards.

This update adds many of the non-controversial rules proposed in March 2020 to the Coding standards guidelines but leaves those that generated more discussion or objections for a future release. Many of the new rules are now available as sniffs in WordPressCS.

Version 3.0.0 includes important architecture changes. Most notably, Composer is now the only supported way to install WordPressCS, as this update includes four run-time dependencies. The release contains breaking changes for those using ignore annotations and those who maintain custom rulesets or have created a custom PHPCS standard based on the project. A detailed upgrade guide is available for these various scenarios.

WordPressCS is largely maintained by Folmer and a small group of volunteers, but the future of the project is in jeopardy if they cannot get funding. Folmer said it is currently in a good place with this release but this will not last long with the pace at which PHP is moving.

“WordPressCS 3.0.0 has cost thousands of hours of work and the vast majority of work has been done by one, mostly unpaid, contributor, with code review support from two fellow maintainers,” she said.

“Unless funding is found to continue maintaining WordPressCS and its dependencies, the future is bleak and maintenance will be halted.”

Folmer is calling on corporation and agency users of WordPressCS to find a way to fund the project’s continued maintenance and development. She elaborated on the dire need to have more contributors involved:

If we are being realistic, the bus factor of WordPressCS is 1, which is the most dangerous situation for any project to be in.

A large part of the WordPress community, including WordPress Core, relies heavily on the WordPress Coding Standards for code quality and security checks and while the community has been pretty vocal with copious complaints about the delayed release, barely anyone has stepped up and actually contributed.

The majority of the work for WordPressCS requires specialized knowledge. Knowledge which can be learned with enough time investment, but in recent years nobody has stepped up to do so.

This is an unsustainable situation and it ends now.

WordPressCS has become one of the most highly used open source tools in the WordPress ecosystem that is now in a vulnerable place with so few contributors. Although many developers commented on the release, thanking Folmer for her efforts, no contributors or corporations have publicly stepped forward to support the project’s continued develpment.

“With over 15 million installations on Packagist and a 400% increase in monthly installation in the past three years alone, WPCS’s popularity is surging and shows no sign of stopping,” Lucas Bustamante, a backend developer specialized in automated tests, commented on the post. “The situation is alarming as WPCS is a foundational tool that flags not only code style issues but also critical security issues, making WordPress a more secure CMS. Letting WPCS fall into limbo poses a risk to the entire WordPress ecosystem.”