PHP_CodeSniffer Upgrade and Legacy Package Deprecations – July 2026#
We are preparing to upgrade our PHP CodeSniffer tool to the latest version. This update will bring vital performance improvements, better syntax parsing, and support for the latest PHP features.
We know how important your current workflows and rule configurations are. However, to successfully complete this upgrade, we have encountered hard compatibility constraints with several older, unmaintained coding standard packages. To move forward, we must officially remove support for these legacy packages and their associated rules.
Packages Being Removed#
The following packages are incompatible with the latest PHP_CodeSniffer version or are no longer maintained, and will be dropped in this release:
- automattic/vipwpcs
- magento/magento-coding-standard
- magento/marketplace-eqp
- pheromone/phpcs-security-audit
- wp-coding-standards/wpcs
What to expect#
As a result, pattern IDs from these packages will no longer be evaluated during your code scans, and any existing issues from them will disappear.
Below is the comprehensive list of patterns that are being removed, categorized by their respective frameworks.
Magento#
- MEQP1_Classes_Mysql4
- MEQP1_Classes_ObjectInstantiation
- MEQP1_Classes_ResourceModel
- MEQP1_CodeAnalysis_EmptyBlock
- MEQP1_Exceptions_DirectThrow
- MEQP1_Exceptions_Namespace
- MEQP1_Performance_CollectionCount
- MEQP1_Performance_EmptyCheck
- MEQP1_Performance_InefficientMethods
- MEQP1_Performance_Loop
- MEQP1_PHP_Goto
- MEQP1_PHP_PrivateClassMember
- MEQP1_PHP_Syntax
- MEQP1_PHP_Var
- MEQP1_SQL_MissedIndexes
- MEQP1_SQL_RawQuery
- MEQP1_SQL_SlowQuery
- Magento2Framework_Header_Copyright
- Magento2Framework_Header_CopyrightAnotherExtensionsFiles
- Magento2Framework_Header_CopyrightGraphQL
- Magento2Framework_Header_License
- Magento2_Annotation_MethodAnnotationStructure
- Magento2_Annotation_MethodArguments
- Magento2_Classes_AbstractApi
- Magento2_Classes_DiscouragedDependencies
- Magento2_CodeAnalysis_EmptyBlock
- Magento2_Commenting_ClassAndInterfacePHPDocFormatting
- Magento2_Commenting_ClassPropertyPHPDocFormatting
- Magento2_Commenting_ConstantsPHPDocFormatting
- Magento2_Exceptions_DirectThrow
- Magento2_Exceptions_ThrowCatch
- Magento2_Exceptions_TryProcessSystemResources
- Magento2_Functions_DiscouragedFunction
- Magento2_Functions_FunctionsDeprecatedWithoutArgument
- Magento2_Functions_StaticFunction
- Magento2_GraphQL_AbstractGraphQL
- Magento2_GraphQL_ValidArgumentName
- Magento2_GraphQL_ValidEnumValue
- Magento2_GraphQL_ValidFieldName
- Magento2_GraphQL_ValidTopLevelFieldName
- Magento2_GraphQL_ValidTypeName
- Magento2_Html_HtmlBinding
- Magento2_Html_HtmlClosingVoidTags
- Magento2_Html_HtmlCollapsibleAttribute
- Magento2_Html_HtmlDirective
- Magento2_Html_HtmlSelfClosingTags
- Magento2_Legacy_AbstractBlock
- Magento2_Legacy_ClassReferencesInConfigurationFiles
- Magento2_Legacy_DiConfig
- Magento2_Legacy_EmailTemplate
- Magento2_Legacy_EscapeMethodsOnBlockClass
- Magento2_Legacy_InstallUpgrade
- Magento2_Legacy_Layout
- Magento2_Legacy_MageEntity
- Magento2_Legacy_ModuleXML
- Magento2_Legacy_ObsoleteAcl
- Magento2_Legacy_ObsoleteConfigNodes
- Magento2_Legacy_ObsoleteConnection
- Magento2_Legacy_ObsoleteMenu
- Magento2_Legacy_ObsoleteSystemConfiguration
- Magento2_Legacy_PhtmlTemplate
- Magento2_Legacy_RestrictedCode
- Magento2_Legacy_TableName
- Magento2_Legacy_WidgetXML
- Magento2_Less_AvoidId
- Magento2_Less_BracesFormatting
- Magento2_Less_ClassNaming
- Magento2_Less_ColonSpacing
- Magento2_Less_ColourDefinition
- Magento2_Less_CombinatorIndentation
- Magento2_Less_CommentLevels
- Magento2_Less_ImportantProperty
- Magento2_Less_Indentation
- Magento2_Less_PropertiesLineBreak
- Magento2_Less_PropertiesSorting
- Magento2_Less_Quotes
- Magento2_Less_SelectorDelimiter
- Magento2_Less_SemicolonSpacing
- Magento2_Less_TypeSelectorConcatenation
- Magento2_Less_TypeSelectors
- Magento2_Less_Variables
- Magento2_Less_ZeroUnits
- Magento2_Methods_DeprecatedModelMethod
- Magento2_Namespaces_ImportsFromTestNamespace
- Magento2_NamingConvention_InterfaceName
- Magento2_NamingConvention_ReservedWords
- Magento2_Performance_ForeachArrayMerge
- Magento2_PHP_ArrayAutovivification
- Magento2_PHP_AutogeneratedClassNotInConstructor
- Magento2_PHP_FinalImplementation
- Magento2_PHP_Goto
- Magento2_PHP_LiteralNamespaces
- Magento2_PHP_ReturnValueCheck
- Magento2_PHP_ShortEchoSyntax
- Magento2_PHP_Var
- Magento2_SQL_RawQuery
- Magento2_Whitespace_MultipleEmptyLines
PHP CS Security#
- Security_BadFunctions_Asserts
- Security_BadFunctions_Backticks
- Security_BadFunctions_CallbackFunctions
- Security_BadFunctions_CryptoFunctions
- Security_BadFunctions_EasyRFI
- Security_BadFunctions_EasyXSS
- Security_BadFunctions_ErrorHandling
- Security_BadFunctions_FilesystemFunctions
- Security_BadFunctions_FringeFunctions
- Security_BadFunctions_FunctionHandlingFunctions
- Security_BadFunctions_Mysqli
- Security_BadFunctions_NoEvals
- Security_BadFunctions_Phpinfos
- Security_BadFunctions_PregReplace
- Security_BadFunctions_SQLFunctions
- Security_BadFunctions_SystemExecFunctions
- Security_CVE_20132110
- Security_CVE_20134113
- Security_Drupal7_AESModule
- Security_Drupal7_AdvisoriesContrib
- Security_Drupal7_AdvisoriesCore
- Security_Drupal7_Cachei
- Security_Drupal7_DbQueryAC
- Security_Drupal7_DynQueries
- Security_Drupal7_HttpRequest
- Security_Drupal7_SQLi
- Security_Drupal7_UserInputWatch
- Security_Drupal7_XSSFormValue
- Security_Drupal7_XSSHTMLConstruct
- Security_Drupal7_XSSPTheme
- Security_Misc_BadCorsHeader
- Security_Misc_IncludeMismatch
WordPress#
- WordPressVIPMinimum_Classes_DeclarationCompatibility
- WordPressVIPMinimum_Classes_RestrictedExtendClasses
- WordPressVIPMinimum_Constants_ConstantString
- WordPressVIPMinimum_Constants_RestrictedConstants
- WordPressVIPMinimum_Files_IncludingFile
- WordPressVIPMinimum_Files_IncludingNonPHPFile
- WordPressVIPMinimum_Functions_CheckReturnValue
- WordPressVIPMinimum_Functions_DynamicCalls
- WordPressVIPMinimum_Functions_RestrictedFunctions
- WordPressVIPMinimum_Functions_StripTags
- WordPressVIPMinimum_Hooks_AlwaysReturnInFilter
- WordPressVIPMinimum_Hooks_PreGetPosts
- WordPressVIPMinimum_Hooks_RestrictedHooks
- WordPressVIPMinimum_JS_DangerouslySetInnerHTML
- WordPressVIPMinimum_JS_HTMLExecutingFunctions
- WordPressVIPMinimum_JS_InnerHTML
- WordPressVIPMinimum_JS_StringConcat
- WordPressVIPMinimum_JS_StrippingTags
- WordPressVIPMinimum_JS_Window
- WordPressVIPMinimum_Performance_CacheValueOverride
- WordPressVIPMinimum_Performance_FetchingRemoteData
- WordPressVIPMinimum_Performance_LowExpiryCacheTime
- WordPressVIPMinimum_Performance_NoPaging
- WordPressVIPMinimum_Performance_OrderByRand
- WordPressVIPMinimum_Performance_RegexpCompare
- WordPressVIPMinimum_Performance_RemoteRequestTimeout
- WordPressVIPMinimum_Performance_TaxonomyMetaInOptions
- WordPressVIPMinimum_Performance_WPQueryParams
- WordPressVIPMinimum_Security_EscapingVoidReturnFunctions
- WordPressVIPMinimum_Security_ExitAfterRedirect
- WordPressVIPMinimum_Security_Mustache
- WordPressVIPMinimum_Security_PHPFilterFunctions
- WordPressVIPMinimum_Security_ProperEscapingFunction
- WordPressVIPMinimum_Security_StaticStrreplace
- WordPressVIPMinimum_Security_Twig
- WordPressVIPMinimum_Security_Underscorejs
- WordPressVIPMinimum_Security_Vuejs
- WordPressVIPMinimum_UserExperience_AdminBarRemoval
- WordPressVIPMinimum_Variables_RestrictedVariables
- WordPressVIPMinimum_Variables_ServerVariables
- WordPress_Arrays_ArrayDeclarationSpacing
- WordPress_Arrays_ArrayIndentation
- WordPress_Arrays_ArrayKeySpacingRestrictions
- WordPress_Arrays_MultipleStatementAlignment
- WordPress_CodeAnalysis_AssignmentInTernaryCondition
- WordPress_CodeAnalysis_EscapedNotTranslated
- WordPress_DB_DirectDatabaseQuery
- WordPress_DB_PreparedSQLPlaceholders
- WordPress_DB_RestrictedClasses
- WordPress_DB_RestrictedFunctions
- WordPress_DB_SlowDBQuery
- WordPress_DateTime_CurrentTimeTimestamp
- WordPress_DateTime_RestrictedFunctions
- WordPress_Files_FileName
- WordPress_NamingConventions_PrefixAllGlobals
- WordPress_NamingConventions_ValidFunctionName
- WordPress_NamingConventions_ValidHookName
- WordPress_NamingConventions_ValidPostTypeSlug
- WordPress_NamingConventions_ValidVariableName
- WordPress_PHP_DevelopmentFunctions
- WordPress_PHP_DiscouragedPHPFunctions
- WordPress_PHP_DontExtract
- WordPress_PHP_IniSet
- WordPress_PHP_NoSilencedErrors
- WordPress_PHP_POSIXFunctions
- WordPress_PHP_PregQuoteDelimiter
- WordPress_PHP_RestrictedPHPFunctions
- WordPress_PHP_StrictInArray
- WordPress_PHP_TypeCasts
- WordPress_PHP_YodaConditions
- WordPress_WP_AlternativeFunctions
- WordPress_WP_Capabilities
- WordPress_WP_CapitalPDangit
- WordPress_WP_ClassNameCase
- WordPress_WP_CronInterval
- WordPress_WP_DeprecatedClasses
- WordPress_WP_DeprecatedFunctions
- WordPress_WP_DeprecatedParameterValues
- WordPress_WP_DeprecatedParameters
- WordPress_WP_DiscouragedConstants
- WordPress_WP_DiscouragedFunctions
- WordPress_WP_EnqueuedResourceParameters
- WordPress_WP_EnqueuedResources
- WordPress_WP_GlobalVariablesOverride
- WordPress_WP_I18n
- WordPress_WP_PostsPerPage
- WordPress_WhiteSpace_CastStructureSpacing
- WordPress_WhiteSpace_ControlStructureSpacing
- WordPress_WhiteSpace_ObjectOperatorSpacing
- WordPress_WhiteSpace_OperatorSpacing
If you have any questions regarding this update or need assistance migrating to modern equivalents for these checks, please reach out to our support team.
Was this page helpful?
Your feedback helps us improve the documentation.
255 characters left
Thanks for helping improve Codacy documentation.
For more detailed feedback, open an issue on GitHub.