[wp-trac] [WordPress Trac] #61525: Plugins page keeps making HTTP requests for plugin dependencies which are not in the WordPress Plugin Directory

WordPress Trac noreply at wordpress.org
Fri Jun 28 04:23:43 UTC 2024 

#61525: Plugins page keeps making HTTP requests for plugin dependencies which are
not in the WordPress Plugin Directory
--------------------------+-----------------------------
 Reporter:  siliconforks  |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Plugins       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Suppose you have two plugins installed, `foo` and `bar`, and `foo` is a
 dependency of `bar`.

 {{{#!php
 <?php

 /*
 Plugin Name: Bar
 Requires Plugins: foo
 */
 }}}

 Suppose also that `foo` and `bar` are not in the WordPress Plugin
 Directory - they are custom plugins or third-party plugins installed from
 elsewhere.

 Then, every time the Plugins admin page is visited,
 `WP_Plugin_Dependencies::get_dependency_api_data()` will make an HTTP
 request for information on `foo`:

 {{{
 https://api.wordpress.org/plugins/info/1.2/
 ?action=plugin_information
 &request%5Bslug%5D=foo
 &request%5Bfields%5D%5Bshort_description%5D=1
 &request%5Bfields%5D%5Bicons%5D=1
 &request%5Blocale%5D=en_US
 &request%5Bwp_version%5D=6.7
 }}}

 Normally, for a plugin which is found in the WordPress Plugin Directory,
 the response to this request would be cached in a transient for 12 hours,
 and there would not be any need to repeat the HTTP request for plugin
 information during that time.  However, because `foo` is not in the Plugin
 Directory, the response will return 404 Not Found, and this means that the
 HTTP request will keep getting made over and over again every time the
 Plugins page is visited.

 Some thoughts on how to improve this behavior:

 1. Maybe `WP_Plugin_Dependencies::get_dependency_api_data()` should cache
 negative responses?  That is, maybe it should remember that the HTTP
 request returned 404 Not Found and not try the request again for 12 hours?

 2. Maybe it would be wise to look at the
 [https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-
 header-in-wordpress-5-8/ Update URI] header field (if it exists) and, if
 the value is not `https://wordpress.org/plugins/{$slug}/` or
 `w.org/plugin/{$slug}`, then clearly the plugin is not in the WordPress
 Plugin Directory and the HTTP request for plugin information can be
 skipped?  This seems like it would work; on the other hand, this might be
 considered to be (ab)using the "Update URI" header for a purpose other
 than that for which it was intended.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61525>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list