GitHub Adds Dependency Graphs, Security Alerts for PHP Repos

GitHub Adds Dependency Graphs, Security Alerts for PHP Repos

Screenshot of a repository's dependency graph on GitHub.

PHP developers everywhere can rejoice as GitHub adds the long-awaited dependency graphs feature for PHP repositories that use Composer. The feature provides security alerts, shows dependency insights, and displays the dependents of a given repository. If enabled, it can also automatically send security fixes to the repository via pull requests.

GitHub initially added support for JavaScript and Ruby when rolling out dependency graphs in 2017. They added support for Yarn lock files in July of this year. This has been a boon to the JavaScript community as it alerts developers of vulnerabilities in code they’re using and shipping to users.

“We’re also seeing PHP and Composer grow in popularity–PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project,” wrote Justin Hutchings, Senior Product Manager at GitHub. The company has taken notice of the trends. JavaScript is a hot topic in many developer circles today, but PHP frameworks such as Laravel and Symfony continue growing in popularity and dominate among popular PHP repositories.

Composer is the de facto standard for PHP dependency management. Core WordPress first added Composer support for development environments in version 5.1. While it’s not a part of the release package, this was some small victory after a years-long discussion of adding a basic composer.json file to core. Core hasn’t fully embraced Composer or any type of PHP dependency management, but plugin and theme authors are using it more than a few short years ago. The new alerts and automatic pull requests will offer one more avenue for catching security issues with plugins and themes.

GitHub seems to be rolling this feature out in waves. After checking some repositories with dependency graphs enabled, some still do not have their PHP dependencies listed. It may take some time, but developers should start seeing dependencies appear that are listed in their composer.json or composer.lock files.

Public repositories should begin seeing automatic security alerts when an issue is found. GitHub will start notifying repository owners of these alerts via web notifications or email, depending on what the account holder has set as their preference. Developers with private repos or who have disabled dependency graphs will need to enable them to take advantage of the new feature.

Security alerts on old repositories could become an annoyance. GitHub recommends archiving those repos. “Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts,” explained Hutchings.

Developers who have opted into GitHub’s automatic security fixes beta feature can now enjoy automatic pull requests (PRs) from GitHub when vulnerabilities are found. GitHub creates a PR with the minimum possible secure version. The developer can then merge the PR at their discretion.

Dependency graphs also make for a much nicer experience when browsing a repository’s dependencies. Previously, developers would need to dive into a project’s composer.json or view them from Packagist, the official package directory for Composer. Developers can now click on a link to view a dependent repository.

Rolling this feature out for PHP repos is a welcome addition and should help more projects keep their code secure.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
WordPress Community Contributors to Host Free Online Diversity Workshop Ahead of WordCamp US

WordPress Community Contributors to Host Free Online Diversity Workshop Ahead of WordCamp US

WordCamp US will debut a new Community Track in November that will feature sessions and workshops on topics like meetups, WordCamps, diversity and inclusion, and kids/youth. Jill Binder, Allie Nimmons, Aurooba Ahmed, and David Wolfpaw will be hosting a workshop called “Creating a Welcoming and Diverse Space” at the event. In order to adequately prepare for presenting on this sensitive topic, the team will be running the workshop in a live, interactive Zoom call on Sunday, October 6.

In light of the recent news about a central European PHP conference getting canceled due to a lack of a diverse lineup, the broader PHP community is becoming more conscious of the importance of recruiting speakers that better represent their communities.

“The Diverse Speaker Workshops that I’m running in WordPress and am bringing to other technologies have been just as important for years as they are now,” training leader Jill Binder said. “These workshops are an essential piece to the whole puzzle for creating diverse communities, attendance at events, public speakers, and ultimately, leaders and organizers.”

Binder said there are many factors in society that work against having diversity in a tech event’s public speaker lineup, but one that her team is specifically tackling in these workshops is imposter syndrome.

“Our workshops help folks bust through their impostor syndrome and develop a topic, title, pitch, bio, and outline, more confidence in public speaking, and the motivation to start speaking,” Binder said.

“The new workshop that Allie, Aurooba, David, and I are creating for WordCamp US on ‘Creating a Welcoming and Diverse Space’ is another important piece to the puzzle. We are going to be teaching mindset, community, environment, speakers, and allyship. It will be an interactive workshop where people will walk away with an action list they can start implementing in their communities (whether in person or online) right away.”

Some organizers of tech events have claimed that for certain events it is impossible to create a diverse lineup of speakers due to the demographics of the community and lack of willing participants.

Binder said that in her experience it is unlikely that more diverse people are unwilling to speak but rather that the event is not being created with more kinds of people in mind. She offered a few suggestions for organizers to consider in planning ahead for a welcoming and diverse space:

  • Have the event at different times that work for people with families. For example, don’t hold them all at 9pm at night. Weekend afternoons may work. Ask those with children what works for them.
  • Consider venues that are not centered around alcohol (like bars and pubs). This opens up the event to attendees who are under 21, recovering addicts, folks who belong to a religious group that prohibits alcohol, and many other people who don’t feel safe or welcome in an alcohol-focused environment.
  • Choose venues that have accessible alternatives to stairs, such as elevators and ramps.
  • Try to have more diversity in the organizing team.
  • Bring in more diverse speakers. Don’t know how? Check out the Diverse Speaker Workshop – in WordPress and in other techs communities.

She also recommends organizers directly invite more people into their communities.

“Ask people in your network to introduce you to diverse people they may know who work with WordPress or your technology,” Binder said. “You can even go out and find those communities in your area – online and in person – or ask people to make an introduction for you to those groups. Examples of groups: Ladies Learning Code, Black Girls Code. Form genuine, friendly relationships with community members so that they can help you reach the WordPress enthusiasts in their communities.”

Binder said the team will go into more detail on these topics during the workshop. Anyone who would like to learn more is welcome to attend the online public rehearsal for the workshop on October 6, at 3pm-5pm ET. This is a unique opportunity for those who cannot attend WordCamp US to join in on one of the interactive workshops. Comment on the Community team’s post with contact information and workshop leaders will send the zoom link and more information.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
EditorsKit Adds Nofollow Options for Links, Fixes Bug with Gutenberg Metaboxes Overlapping in Chrome

EditorsKit Adds Nofollow Options for Links, Fixes Bug with Gutenberg Metaboxes Overlapping in Chrome

EditorsKit is becoming somewhat of a “hotfix” plugin for Gutenberg, especially with the additions to the 1.14 release this week. Developer Jeffrey Carandang added new link formats for nofollow rel attribute options, along with a fix for an annoying bug in Chrome that causes Gutenberg metaboxes to overlap. He has been closely monitoring feedback on both Gutenberg and EditorsKit, introducing features for which users have an immediate need.

Google recently announced new ways to identify nofollow links with two additional rel attribute options for specifying links as sponsored and/or user-generated content. The Gutenberg core team has expressed hesitation on a PR that would add nofollow link options, invoking WordPress’ 80/20 rule.

Since the related PR doesn’t seem to be a priority, with no movement for two weeks, Carandang decided to add the nofollow and sponsored rel attribute options to EditorsKit, so users can start following Google’s recommendations without having to switch to HTML mode. He also managed to make it work with the version of Gutenberg included in core.

Nofollow link options

Chrome users may have noticed that the block editor has a nasty bug with metaboxes overlapping, obscuring the main content area. This problem was introduced in the recent Chrome 77 update and is present on WordPress 5.2.3 and older versions.

Chrome developers are aware of the issue and a fix will be in the next release. Version 78 is expected October 22. Since it is a bug with Chrome, the Gutenberg team has opted not to release a fix/workaround for this problem. In the meantime, they recommend updating to WordPress 5.3 if it is released before the Chrome bug is fixed. This isn’t likely, as 5.3 is scheduled for mid-November.

The Gutenberg team also recommend using a different browser or installing the Gutenberg plugin to fix the issue. Andrea Fercia noted on the ticket that the plugin is still listed among WordPress’ beta plugins and may not be advisable to use in production on some sites. Users with a technical background can implement one of several CSS solutions in the ticket, but this is a frustrating bug for users who don’t know how to apply code fixes.

Carandang added a fix for this bug to the most recent version of EditorsKit. So far his strategy of being responsive to users’ requests seems to have been successful, as his Gutenberg utility plugin now has more than 1,000 active installs. He said he is happy to add hot fixes for EditorsKit users and will remove them once the fixes have been added to Chrome and/or the block editor.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
GPL Author Richard Stallman Resigns from Free Software Foundation

GPL Author Richard Stallman Resigns from Free Software Foundation

Richard Stallman, free software movement activist and originator of the “copyleft” concept, has resigned from his position as director of the board and president of the Free Software Foundation (FSF), which he established in 1985. This resignation comes on the heels of his resignation from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) after remarks he made regarding a 17-year old victim of sex trafficker Jeffrey Epstein, characterizing her as seeming “entirely willing.”

Stallman blamed media coverage for misinterpreting his comments as a defense of Epstein two days before announcing his resignation from MIT on his personal blog:

To the MIT community, I am resigning effective immediately from my position in CSAIL at MIT. I am doing this due to pressure on MIT and me over a series of misunderstandings and mischaracterizations.

The remarks in question were sent on a department-wide CSAIL mailing list in response to an MIT student email calling for a protest against Jeffrey Epstein’s donation to the school. Selam Jie Gano, the MIT graduate who exposed Stallman’s comments in a post on Medium, also leaked the full thread to Vice.

In the email thread, which was also circulated to undergraduate students, Stallman became pedantic about the definition of assault and the use of the term ‘rape’ after a student pointed out the laws of the location and the victim’s age:

I think it is morally absurd to define “rape” in a way that depends on minor details such as which country it was in or whether the victim was 18 years old or 17.

These comments caused media organizations to dig up old posts from Stallman’s blog where he demands an end to the censorship of “child pornography” and says he is “skeptical of the claim that voluntarily pedophilia harms children.”

Why Stallman felt it necessary to lend his controversial views to public comments on rape, assault, and child sex trafficking on a public mailing list is a mystery, but he has a long history of being outspoken when it comes to politics and civil liberties.

This particular incident seemed to be the straw that broke the camel’s back, unleashing a flood of outrage from the the free software and broader tech communities who demanded Stallman’s removal from the FSF. Critics cited two decades of behaviors and statements that many have found to be disturbing and offensive. The Geek Feminism Wiki maintains a catalog that includes some of these references.

“The free software community looks the other way while they build their empires on licenses that sustain Stallman’s power,” Software engineer and founder of RailsBridge Sarah Mei said in a Tweetstorm calling on the FSF to remove Stallman from his positions of influence.

“Your refusal to part ways with him – despite well-known incidents that have pushed women and others out of free software for decades – might have been ok 10 years ago. Maybe even two years ago. It’s not ok now.”

The Software Freedom Conservancy also issued a statement calling for Stallman’s removal, titled “Richard Stallman Does Not and Cannot Speak for the Free Software Movement:”

When considered with other reprehensible comments he has published over the years, these incidents form a pattern of behavior that is incompatible with the goals of the free software movement. We call for Stallman to step down from positions of leadership in our movement.

We reject any association with an individual whose words and actions subvert these goals. We look forward to seeing the FSF’s action in this matter and want to underscore that allowing Stallman to continue to hold a leadership position would be an unacceptable compromise. Most importantly, we cannot support anyone, directly or indirectly, who condones the endangerment of vulnerable people by rationalizing any part of predator behavior.

In a 2017 Twitter thread, Mei shared some context on her perspective of how Stallman’s influence has had a ripple effect of damage throughout the free software and open source communities:

In the 90s, Richard Stallman’s attitude towards women alienated me (and many others) from any interest in or support for “free software.” Viewing software through the Richard Stallman/GNU/”free as in freedom” lens would have run our industry into the ground. But it was the only alternative to proprietary software for ~20 years. So lots of folks worked on it despite finding Stallman problematic. This was the period when women largely declined to be part of computing, despite having pretty reasonable representation through the 80s.

In the early 2000s, “open source” was a breath of fresh air. All of the usefulness! None of the built-in arrogance, privilege, or misogyny! But just because it wasn’t built in doesn’t mean it disappeared. As folks converted, the behaviors normalized by Stallman and others followed. Our drive now for diversity/inclusion wasn’t even conceivable until we discarded GNU, Stallman, and “free software” in favor of “open source.” It’s not an accident that the communities who still, today, embrace that outdated philosophy are the least diverse and the most hostile.

Stallman is the author of the GPL, which he wrote with the help of lawyers. For the most part, the free software community is able to objectively separate the license from the man who conceived it. The FSF’s sister organization in Europe welcomed Stallman’s resignation, echoing the sentiments of many who value his contributions but are unwilling to support his public representation of the organization:

On 16 September, one of our independent sister organizations, the US-based Free Software Foundation (FSF), announced the resignation of Richard M. Stallman as its president. While we recognize Stallman’s role in founding the Free Software movement, we welcome the decision.

The FSF has the opportunity to redefine itself after the resignation of its founder and supporters are hopeful that the free software movement can find a better way forward without Stallman’s influence.

“I believe in Free Software and have published most of my work open source under LGPL/GPL/AGPL (notably including Cydia, Cycript, WinterBoard, ldid, and now my work on Orchid),” software engineer Jay Freeman said. “I’m glad to see Richard Stallman leave, and hope this starts a new era for the Free Software Foundation.”

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
New Attock WordPress Meetup Empowers Pakistani Women Freelancers and Business Owners

New Attock WordPress Meetup Empowers Pakistani Women Freelancers and Business Owners

WordCamp Lahore is getting rebooted on November 30 – December 1, at the National University of Computer and Emerging Sciences. The first edition of the event was planned for 2016 but was derailed by local disagreements and ultimately canceled. For the past three years organizers have worked to strengthen their local meetup groups and follow suggestions from the WordPress Foundation before reapplying. The Lahore WordPress meetup group now has 4,383 members who regularly meet in various groups across the area.

WordCamp Lahore lead organizer Muhammad Kashif said his team is expecting more than 350 attendees, with the majority of them coming from the local community. The Lahore WordPress meetup group is thriving and has grown to 4,383 members who regularly meet in various groups across the area.

“We still have attendees from other cities and in closing I encourage them to start local chapters and offer any help they need,” Kashif said. He works as a Master Trainer for a government training program called eRozgaar that trains unemployed youth in more than 25 centers across Punjab. The program was launched by the Punjab Government in March 2017 and WordPress is a major part of the eRozgaar curriculum.

“I manage the WordPress curriculum and in a recent update I have included community building, which is about Meetups and WordCamp events,” Kashif said. He reports that eRozgaar trainees have collectively earned more than $1 million US dollars to date after going through the 3.5 month-program.

“The program is making a big impact, especially for women who can’t go out for jobs,” Kashif said. “They are making good money from freelancing and WordPress is playing a big part in that.”

Kashif attributes some of Pakistan’s current economic challenges to a rapidly growing population and poor planning from past governments. The job opportunities have not grown as fast as the population, which was one of the reasons the government created the eRozgaar training program.

As the result of having WordPress in the curriculum that is used across so many areas of Punjab, new meetups are starting to pop up in other cities. Salma Noreen, one of the program’s trainers who Kashif worked with, started a meetup in Attock and is the first female WordPress meetup organizer in Pakistan. She plans to apply for WordCamp Attock in 2020.

Salma Noreen
Salma Noreen, first female WordPress meetup organizer in Pakistan

“Attock is a small city but love for WordPress is big and I am so happy to see other women participating in the WordPress community,” Noreen said.

“Every year, 1000+ people graduate in this city after 16 years of education. But we don’t have many jobs in this small city, so a small number of people who are backed by financially good families can move to other big cities like Lahore and Karachi for jobs and learning opportunities. The remaining people’s future is always a question mark.

“Being a woman, I was more worried about women, as we have a cultural barrier that most women cannot get permission to relocate or go out of home for a regular 9 to 5 job. Introducing them to WordPress and then guiding them on how to find online clients has helped many to earn a decent living from home.”

For the past 10 years, Noreen worked primarily as a freelancer and has completed more than 3,500 projects in web development. She is mentoring new WordPress users in her city to become successful freelancers and online store owners using resources like Udemy courses, YouTube, public blogs, and the WordPress codex.

“I am still struggling but yes I am confident that one day everyone will be making enough from home,” she said.

The Attock WordPress meetup is averaging 60-70 attendees in recent months, where members share their knowledge, experience, and best practices. For many of those attending, the meetup group was their first introduction to the software. Noreen describes the local community as “crazy about WordPress” and eager to have their own WordCamp in 2020.

Attock WordPress meetup

One meetup member, Uroosa Samman, is a graduate of Environmental Science studies but is now working with WordPress after attending the monthly meetups.

“I didn’t have any WordPress or coding background during my education,” Samman said. “It was difficult for me to learn tech things. The meetups were very helpful and motivational for me, so I decided to start working in tech. Since the events were organized by a female organizer, it was comfortable for us to attend. I am able to provide my services as a freelancer and I am developing my own WordPress e-commerce store. If I get stuck in any issue related to WordPress, I immediately contact this community and they are always ready to help each other.”

Women attending a recent Attock WordPress Meetup

Shahryar Amin, a recent college graduate, was uncertain about his future until he discovered WordPress through Noreen’s support and the Attock meetup:

Just a few months ago, I was completely devastated financially. Pakistan is going through turbulent time, and its economy has never been performing this low. So, fresh graduates like me had their dreams absolutely shattered, when after four months of rigorous effort, we were unable to find a source of livelihood. That was truly a testing time.

Moving back to my small city, I was not much hopeful for the future. My hometown, Attock, is a remote city with limited opportunities to advance one’s career. But ironically, that turned out to be a wrong assumption. I moved back to my city after nearly four years, and it had some phenomenal changes which I couldn’t resist noticing. The most
impressive of them was WordPress meetups.

That was the first time I became familiar with the platform. I was curious, and that got me to the very first meetup organized by Ms. Salma Noreen. She is a remarkable soul, and I can’t thank her more for putting up such effort for an ignored city like ours. I learned my basics from these meetups, and as my interest become my passion, I was spending more and more hours on learning WordPress through the internet. I had no programming skills, but fortunately one don’t need any to setup a website on WordPress.

As I delved further into it, I discovered some very useful plugins, like Elementor, Divi and Visual composer, and at that moment I decided to become a designer using WordPress. I won’t say that I have become an expert in WordPress, but I am paying back the community by sharing my knowledge as a speaker at the very last meetup on July 30. Also, I have been working as a freelance designer on various online platforms, and WordPress expertise has truly been rewarding me financially.

Shahryar Amin speaking at a recent Attock WordPress meetup

Attock resident Sania Nisar has a degree in software engineering and used to spend several days creating a simple website before discovering WordPress. She has never had any formal training through paid courses but is now working as a WordPress professional with the knowledge she gained from attending WordPress meetups and online resources.

“WordPress Attock is playing a vital role in empowering women in my vicinity,” Nisar said. “It is difficult for the women of Attock to travel to big cities like Islamabad to gain knowledge. However, WordPress Attock has efficiently solved this problem by providing an engaging learning platform for the women of this city. Today I am a successful freelancer and a WordPress professional.”

Noreen said her team hopes to bring 15 to 20 people from Attock to attend WordCamp Lahore. The trip is expensive and takes approximately seven hours so not many will be able to make it but there will be other camps in the region that are nearer for Attock residents.

Last year a WordCamp was held in Islamabad, and the second WordCamp Karachi took place in August 2019. WordCamp Lahore will be Pakistan’s fourth WordCamp, held in the country’s second-most populous city. Attendees will have the opportunity to meet and connect with WordPress professionals and enthusiasts from across Pakistan. Speaker applications are open and sessions will be held in Urdu and English. Regular admission is Rs 1,700.00 and tickets are now on sale.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.
Google Announces New Ways to Identify Nofollow Links, Progress on Related Gutenberg Ticket Is Currently Stalled

Google Announces New Ways to Identify Nofollow Links, Progress on Related Gutenberg Ticket Is Currently Stalled

This week Google announced changes to the 15-year old nofollow attribute that was previously recommended for identifying links related to advertising, sponsors, or content for which users are not intending to pass along ranking credit. The nofollow attribute is no longer a catchall for these types of instances, as Google has introduced two new rel values (“sponsored” and “ugc”) to further specify the purpose of the link to the search engine:

  • rel=”sponsored”:
  • Use the sponsored attribute to identify links on your site that were created as part of advertisements, sponsorships or other compensation agreements.

  • rel=”ugc”:
  • UGC stands for User Generated Content, and the ugc attribute value is recommended for links within user generated content, such as comments and forum posts.

  • rel=”nofollow”:
  • Use this attribute for cases where you want to link to a page but don’t want to imply any type of endorsement, including passing along ranking credit to another page.

Google is also shifting to using a “hint model” for interpreting the new link attributes:

When nofollow was introduced, Google would not count any link marked this way as a signal to use within our search algorithms. This has now changed. All the link attributes — sponsored, UGC and nofollow — are treated as hints about which links to consider or exclude within Search. We’ll use these hints — along with other signals — as a way to better understand how to appropriately analyze and use links within our systems.

The announcement includes a few notable instructions regarding usage. Although all the new link attributes are working today as hints for ranking purposes, there is no need to change existing links. For sponsored links, Google recommends switching over to using rel=”sponsored” if or when it is convenient. Users can also specify multiple rel values (e.g. rel=”ugc sponsored”). Google plans to use the hints for crawling and indexing purposes beginning March 1, 2020.

The new ways to identify nofollow links impacts not only how users create links in their sites but also plugins that add the nofollow attribute sitewide or other otherwise. Plugin authors will want to reevaluate the options provided in their products.

Progress on the relevant Gutenberg PR for adding a nofollow option has stalled and is not currently listed for any upcoming milestones. Last week Gutenberg designer Mark Uraine expressed hesitation on adding this feature to the plugin.

“I’m hesitant on this one,” Uraine said. “I think it’s been a long-standing discussion and there are reasons behind not including this option in the Classic Editor.

“How does it adhere to the WordPress 80/20 rule? We’re looking to implement this as an option (not a decision)… so will 80% of WP users benefit from it?”

Gutenberg users are continuing to advocate on the ticket for the necessity of nofollow link options.

“Now, with Gutenberg, you can only add a nofollow by switching to the HTML version and manually add the nofollow attribute,” Andreas de Rosi said. “It’s a big pain. I don’t know how to best implement it (I am not a programer), but this is an important feature the Gutenberg editor should have.”

Paal Joachim Romdahl commented on the ticket, requesting a simple way for plugins to extend the link dialog box if the Gutenberg team decides to reject the PR for adding nofollow options.

More general discussion regarding how to implement link settings extensibility is open in a separate ticket on the Gutenberg repository.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.