Vipwpcs Laravel Package
automattic/vipwpcs
PHPCS sniffs and rulesets for validating code built for WordPress VIP. Includes WordPressVIPMinimum and WordPress-VIP-Go standards, based on WPCS and VariableAnalysis. Install via Composer; supports PHP 5.4+ and PHPCS 3.13.2+.
Getting Started
Start by installing the package as a dev dependency in your project using Composer:
composer config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
composer require --dev automattic/vipwpcs
This automatically registers the WordPress-VIP-Go and WordPressVIPMinimum standards with PHPCS. After installation, run:
./vendor/bin/phpcs -i
to confirm WordPress-VIP-Go and WordPressVIPMinimum appear in the list of installed standards. Your first real use case is linting your codebase:
./vendor/bin/phpcs --standard=WordPress-VIP-Go path/to/your/plugin.php
Check the VIP docs on PHPCS reports to understand error/warning severity and how to interpret results.
Implementation Patterns
-
CI Integration: Use in GitHub Actions or GitLab CI to fail builds on violations. A typical workflow step:
- name: Run VIP Coding Standards run: ./vendor/bin/phpcs --standard=WordPress-VIP-Go --extensions=php --severity=5 .Adjust
--severityand--warning-severityto balance strictness and developer feedback. -
Editor Integration: Configure VS Code (with PHPCS extension) or PHPStan/PSR support to use the VIP ruleset via
phpcs.standard: "WordPress-VIP-Go". -
Custom Ruleset: Extend the provided rulesets for project-specific tweaks: create
phpcs.xmlwith:<?xml version="1.0"?> <ruleset name="MyVIP"> <rule ref="WordPress-VIP-Go"/> <exclude name="WordPressVIPMinimum.Security.EscapeOutput.OutputNotEscaped"/> </ruleset>⚠️ As of v2.3.0, do not override the
escaping_functionproperty in custom rulesets—it’s disallowed. -
Test Suite Integration: Run PHPCS as part of your test suite via
./vendor/bin/phpcsincomposer testscripts orphpunit.xmlviaphpcstest runner. -
Legacy Projects: Use
WordPressVIPMinimumfor old wp.com VIP projects; preferWordPress-VIP-Gofor modern VIP Go deployments (the default).
Gotchas and Tips
- Breaking changes in v2.2.0+: If you have
WordPressVIPMinimum.Variables.Variablesreferences in config or inline@phpcs:ignore, replace withVariableAnalysis.CodeAnalysis.VariableAnalysis. - Escaping sniff changes in v2.3.0: The
ProperEscapingFunctionsniff was improved but now doesn’t allow overriding ofescaping_function—remove any such config. - False positives on
VariableAnalysis: SilenceUnusedVariableper PR #620 to reduce noise—this is already done by default in the ruleset. - File includes:
IncludingNonPHPFilenow recognizes.pharand interpolated strings—be precise with constants used ininclude/requireto avoid false positives. Use$allowedKeywordsto tune. - WP_Query sniffs:
WPQueryParamsnow flags'exclude'—verify usage; it may be legitimate for complex tax queries. - Output escaping: Pay close attention to
ProperEscapingFunctionforactionattributes on<form>tags and URL/HTML attribute context detection—it’s strict but covers common XSS pitfalls. - Global install caveat: If installed globally, always run
phpcs -ito verify VIP standards are registered—Composer plugins may conflict if multiple PHPCS standards are used. - Debugging: Use
--debugwith PHPCS to see which sniffs fire and why:./vendor/bin/phpcs --standard=WordPress-VIP-Go --debug file.php 2>&1 | grep -A1 'fired'
How can I help you explore Laravel packages today?