Skip to content

PHP_CodeSniffer Upgrade and Legacy Package Deprecations – July 2026#

We are preparing to upgrade our PHP CodeSniffer tool to the latest version. This update will bring vital performance improvements, better syntax parsing, and support for the latest PHP features.

We know how important your current workflows and rule configurations are. However, to successfully complete this upgrade, we have encountered hard compatibility constraints with several older, unmaintained coding standard packages. To move forward, we must officially remove support for these legacy packages and their associated rules.

Packages Being Removed#

The following packages are incompatible with the latest PHP_CodeSniffer version or are no longer maintained, and will be dropped in this release:

  • automattic/vipwpcs
  • magento/magento-coding-standard
  • magento/marketplace-eqp
  • pheromone/phpcs-security-audit
  • wp-coding-standards/wpcs

What to expect#

As a result, pattern IDs from these packages will no longer be evaluated during your code scans, and any existing issues from them will disappear.

Below is the comprehensive list of patterns that are being removed, categorized by their respective frameworks.

Magento#

  • MEQP1_Classes_Mysql4
  • MEQP1_Classes_ObjectInstantiation
  • MEQP1_Classes_ResourceModel
  • MEQP1_CodeAnalysis_EmptyBlock
  • MEQP1_Exceptions_DirectThrow
  • MEQP1_Exceptions_Namespace
  • MEQP1_Performance_CollectionCount
  • MEQP1_Performance_EmptyCheck
  • MEQP1_Performance_InefficientMethods
  • MEQP1_Performance_Loop
  • MEQP1_PHP_Goto
  • MEQP1_PHP_PrivateClassMember
  • MEQP1_PHP_Syntax
  • MEQP1_PHP_Var
  • MEQP1_SQL_MissedIndexes
  • MEQP1_SQL_RawQuery
  • MEQP1_SQL_SlowQuery
  • Magento2Framework_Header_Copyright
  • Magento2Framework_Header_CopyrightAnotherExtensionsFiles
  • Magento2Framework_Header_CopyrightGraphQL
  • Magento2Framework_Header_License
  • Magento2_Annotation_MethodAnnotationStructure
  • Magento2_Annotation_MethodArguments
  • Magento2_Classes_AbstractApi
  • Magento2_Classes_DiscouragedDependencies
  • Magento2_CodeAnalysis_EmptyBlock
  • Magento2_Commenting_ClassAndInterfacePHPDocFormatting
  • Magento2_Commenting_ClassPropertyPHPDocFormatting
  • Magento2_Commenting_ConstantsPHPDocFormatting
  • Magento2_Exceptions_DirectThrow
  • Magento2_Exceptions_ThrowCatch
  • Magento2_Exceptions_TryProcessSystemResources
  • Magento2_Functions_DiscouragedFunction
  • Magento2_Functions_FunctionsDeprecatedWithoutArgument
  • Magento2_Functions_StaticFunction
  • Magento2_GraphQL_AbstractGraphQL
  • Magento2_GraphQL_ValidArgumentName
  • Magento2_GraphQL_ValidEnumValue
  • Magento2_GraphQL_ValidFieldName
  • Magento2_GraphQL_ValidTopLevelFieldName
  • Magento2_GraphQL_ValidTypeName
  • Magento2_Html_HtmlBinding
  • Magento2_Html_HtmlClosingVoidTags
  • Magento2_Html_HtmlCollapsibleAttribute
  • Magento2_Html_HtmlDirective
  • Magento2_Html_HtmlSelfClosingTags
  • Magento2_Legacy_AbstractBlock
  • Magento2_Legacy_ClassReferencesInConfigurationFiles
  • Magento2_Legacy_DiConfig
  • Magento2_Legacy_EmailTemplate
  • Magento2_Legacy_EscapeMethodsOnBlockClass
  • Magento2_Legacy_InstallUpgrade
  • Magento2_Legacy_Layout
  • Magento2_Legacy_MageEntity
  • Magento2_Legacy_ModuleXML
  • Magento2_Legacy_ObsoleteAcl
  • Magento2_Legacy_ObsoleteConfigNodes
  • Magento2_Legacy_ObsoleteConnection
  • Magento2_Legacy_ObsoleteMenu
  • Magento2_Legacy_ObsoleteSystemConfiguration
  • Magento2_Legacy_PhtmlTemplate
  • Magento2_Legacy_RestrictedCode
  • Magento2_Legacy_TableName
  • Magento2_Legacy_WidgetXML
  • Magento2_Less_AvoidId
  • Magento2_Less_BracesFormatting
  • Magento2_Less_ClassNaming
  • Magento2_Less_ColonSpacing
  • Magento2_Less_ColourDefinition
  • Magento2_Less_CombinatorIndentation
  • Magento2_Less_CommentLevels
  • Magento2_Less_ImportantProperty
  • Magento2_Less_Indentation
  • Magento2_Less_PropertiesLineBreak
  • Magento2_Less_PropertiesSorting
  • Magento2_Less_Quotes
  • Magento2_Less_SelectorDelimiter
  • Magento2_Less_SemicolonSpacing
  • Magento2_Less_TypeSelectorConcatenation
  • Magento2_Less_TypeSelectors
  • Magento2_Less_Variables
  • Magento2_Less_ZeroUnits
  • Magento2_Methods_DeprecatedModelMethod
  • Magento2_Namespaces_ImportsFromTestNamespace
  • Magento2_NamingConvention_InterfaceName
  • Magento2_NamingConvention_ReservedWords
  • Magento2_Performance_ForeachArrayMerge
  • Magento2_PHP_ArrayAutovivification
  • Magento2_PHP_AutogeneratedClassNotInConstructor
  • Magento2_PHP_FinalImplementation
  • Magento2_PHP_Goto
  • Magento2_PHP_LiteralNamespaces
  • Magento2_PHP_ReturnValueCheck
  • Magento2_PHP_ShortEchoSyntax
  • Magento2_PHP_Var
  • Magento2_SQL_RawQuery
  • Magento2_Whitespace_MultipleEmptyLines

PHP CS Security#

  • Security_BadFunctions_Asserts
  • Security_BadFunctions_Backticks
  • Security_BadFunctions_CallbackFunctions
  • Security_BadFunctions_CryptoFunctions
  • Security_BadFunctions_EasyRFI
  • Security_BadFunctions_EasyXSS
  • Security_BadFunctions_ErrorHandling
  • Security_BadFunctions_FilesystemFunctions
  • Security_BadFunctions_FringeFunctions
  • Security_BadFunctions_FunctionHandlingFunctions
  • Security_BadFunctions_Mysqli
  • Security_BadFunctions_NoEvals
  • Security_BadFunctions_Phpinfos
  • Security_BadFunctions_PregReplace
  • Security_BadFunctions_SQLFunctions
  • Security_BadFunctions_SystemExecFunctions
  • Security_CVE_20132110
  • Security_CVE_20134113
  • Security_Drupal7_AESModule
  • Security_Drupal7_AdvisoriesContrib
  • Security_Drupal7_AdvisoriesCore
  • Security_Drupal7_Cachei
  • Security_Drupal7_DbQueryAC
  • Security_Drupal7_DynQueries
  • Security_Drupal7_HttpRequest
  • Security_Drupal7_SQLi
  • Security_Drupal7_UserInputWatch
  • Security_Drupal7_XSSFormValue
  • Security_Drupal7_XSSHTMLConstruct
  • Security_Drupal7_XSSPTheme
  • Security_Misc_BadCorsHeader
  • Security_Misc_IncludeMismatch

WordPress#

  • WordPressVIPMinimum_Classes_DeclarationCompatibility
  • WordPressVIPMinimum_Classes_RestrictedExtendClasses
  • WordPressVIPMinimum_Constants_ConstantString
  • WordPressVIPMinimum_Constants_RestrictedConstants
  • WordPressVIPMinimum_Files_IncludingFile
  • WordPressVIPMinimum_Files_IncludingNonPHPFile
  • WordPressVIPMinimum_Functions_CheckReturnValue
  • WordPressVIPMinimum_Functions_DynamicCalls
  • WordPressVIPMinimum_Functions_RestrictedFunctions
  • WordPressVIPMinimum_Functions_StripTags
  • WordPressVIPMinimum_Hooks_AlwaysReturnInFilter
  • WordPressVIPMinimum_Hooks_PreGetPosts
  • WordPressVIPMinimum_Hooks_RestrictedHooks
  • WordPressVIPMinimum_JS_DangerouslySetInnerHTML
  • WordPressVIPMinimum_JS_HTMLExecutingFunctions
  • WordPressVIPMinimum_JS_InnerHTML
  • WordPressVIPMinimum_JS_StringConcat
  • WordPressVIPMinimum_JS_StrippingTags
  • WordPressVIPMinimum_JS_Window
  • WordPressVIPMinimum_Performance_CacheValueOverride
  • WordPressVIPMinimum_Performance_FetchingRemoteData
  • WordPressVIPMinimum_Performance_LowExpiryCacheTime
  • WordPressVIPMinimum_Performance_NoPaging
  • WordPressVIPMinimum_Performance_OrderByRand
  • WordPressVIPMinimum_Performance_RegexpCompare
  • WordPressVIPMinimum_Performance_RemoteRequestTimeout
  • WordPressVIPMinimum_Performance_TaxonomyMetaInOptions
  • WordPressVIPMinimum_Performance_WPQueryParams
  • WordPressVIPMinimum_Security_EscapingVoidReturnFunctions
  • WordPressVIPMinimum_Security_ExitAfterRedirect
  • WordPressVIPMinimum_Security_Mustache
  • WordPressVIPMinimum_Security_PHPFilterFunctions
  • WordPressVIPMinimum_Security_ProperEscapingFunction
  • WordPressVIPMinimum_Security_StaticStrreplace
  • WordPressVIPMinimum_Security_Twig
  • WordPressVIPMinimum_Security_Underscorejs
  • WordPressVIPMinimum_Security_Vuejs
  • WordPressVIPMinimum_UserExperience_AdminBarRemoval
  • WordPressVIPMinimum_Variables_RestrictedVariables
  • WordPressVIPMinimum_Variables_ServerVariables
  • WordPress_Arrays_ArrayDeclarationSpacing
  • WordPress_Arrays_ArrayIndentation
  • WordPress_Arrays_ArrayKeySpacingRestrictions
  • WordPress_Arrays_MultipleStatementAlignment
  • WordPress_CodeAnalysis_AssignmentInTernaryCondition
  • WordPress_CodeAnalysis_EscapedNotTranslated
  • WordPress_DB_DirectDatabaseQuery
  • WordPress_DB_PreparedSQLPlaceholders
  • WordPress_DB_RestrictedClasses
  • WordPress_DB_RestrictedFunctions
  • WordPress_DB_SlowDBQuery
  • WordPress_DateTime_CurrentTimeTimestamp
  • WordPress_DateTime_RestrictedFunctions
  • WordPress_Files_FileName
  • WordPress_NamingConventions_PrefixAllGlobals
  • WordPress_NamingConventions_ValidFunctionName
  • WordPress_NamingConventions_ValidHookName
  • WordPress_NamingConventions_ValidPostTypeSlug
  • WordPress_NamingConventions_ValidVariableName
  • WordPress_PHP_DevelopmentFunctions
  • WordPress_PHP_DiscouragedPHPFunctions
  • WordPress_PHP_DontExtract
  • WordPress_PHP_IniSet
  • WordPress_PHP_NoSilencedErrors
  • WordPress_PHP_POSIXFunctions
  • WordPress_PHP_PregQuoteDelimiter
  • WordPress_PHP_RestrictedPHPFunctions
  • WordPress_PHP_StrictInArray
  • WordPress_PHP_TypeCasts
  • WordPress_PHP_YodaConditions
  • WordPress_WP_AlternativeFunctions
  • WordPress_WP_Capabilities
  • WordPress_WP_CapitalPDangit
  • WordPress_WP_ClassNameCase
  • WordPress_WP_CronInterval
  • WordPress_WP_DeprecatedClasses
  • WordPress_WP_DeprecatedFunctions
  • WordPress_WP_DeprecatedParameterValues
  • WordPress_WP_DeprecatedParameters
  • WordPress_WP_DiscouragedConstants
  • WordPress_WP_DiscouragedFunctions
  • WordPress_WP_EnqueuedResourceParameters
  • WordPress_WP_EnqueuedResources
  • WordPress_WP_GlobalVariablesOverride
  • WordPress_WP_I18n
  • WordPress_WP_PostsPerPage
  • WordPress_WhiteSpace_CastStructureSpacing
  • WordPress_WhiteSpace_ControlStructureSpacing
  • WordPress_WhiteSpace_ObjectOperatorSpacing
  • WordPress_WhiteSpace_OperatorSpacing

If you have any questions regarding this update or need assistance migrating to modern equivalents for these checks, please reach out to our support team.

Was this page helpful?

Your feedback helps us improve the documentation.