Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Old themes not in WordPress core 5.1 are installed with roots/wordpress #3

Closed
noelspringer opened this issue Feb 23, 2019 · 12 comments
Closed
Assignees
Labels
help wanted Extra attention is needed security

Comments

@noelspringer
Copy link

Themes currently installed with WP core 5.1 from both wordpress.org and the johnpbloch/wordpress composer package are:

  • twentysixteen
  • twentyseventeen
  • twentynineteen

Themes installed with roots/wordpress include the above three themes as well as the old themes twentyeleven through to twentyfifteen.

@QWp6t
Copy link
Member

QWp6t commented Feb 23, 2019

This repo installs releases from the official wordpress/wordpress repo.

@LeoColomb
Copy link
Collaborator

Actually @noelspringer is right.
And I'm not sure zip archives from mirrored git repo releases are the official distribution zips. It seems to be more that ones: https://wordpress.org/download/releases/.

@noelspringer
Copy link
Author

Aha i see that repo includes the older themes. Curious though since the official WordPress releases don't include them.

Could the older themes have been removed from the official releases for security reasons?

@LeoColomb
Copy link
Collaborator

@noelspringer I guess old themes are kept in the sources for maintenance, but removed when building archives for distribution.

@noelspringer
Copy link
Author

Makes sense Leo. Thanks

@retlehs
Copy link
Member

retlehs commented Apr 5, 2020

image

let's start figuring out some options on what we can do to remove the old themes that aren't typically distributed with wordpress

@LeoColomb
Copy link
Collaborator

LeoColomb commented Apr 5, 2020

@retlehs One option available to exclude default and old themes is downloading "no-content" build from WordPress.org repo:

https://downloads.wordpress.org/release/wordpress-{$version}-no-content.zip

PS: I've setup my own WordPress-composer repo where with "no-content" option, but I would like to configure a complete org with all the different available options.

@austinpray
Copy link
Contributor

@LeoColomb eventually we will finish https://github.com/roots/wordpress-packager which will allow releasing all three packages

  • wordpress.org zip
  • wordpress.org no-content zip
  • git mirror

@austinpray austinpray added help wanted Extra attention is needed security labels Apr 5, 2020
@LeoColomb
Copy link
Collaborator

@austinpray That would be awesome, indeed 🙂
Let me know if I can help

@austinpray austinpray self-assigned this Apr 5, 2020
@austinpray
Copy link
Contributor

Looking at getting this fixed ASAP since this behavior triggers a security notice.

If anyone has time to experiment: it might be as simple as just adding some more metadata to the package to blacklist those old themes? https://getcomposer.org/doc/04-schema.md#archive

Also as far as rollout: pretty sure it's safe to assume that people will not mind if these themes disappear the next time they bump the roots/wordpress version?

@strarsis
Copy link

strarsis commented Aug 6, 2021

+1 for this! Having less unused files is always good.

@retlehs
Copy link
Member

retlehs commented May 16, 2022

https://packagist.org/packages/roots/wordpress-no-content is now available to use, fyi!

props to @LeoColomb and @swalkinshaw for their work on the new composer wordpress packages via https://github.com/roots/wordpress-packager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants