On Jan 9, 2024 we released WooCommerce 8.5.0. Quickly thereafter, we began receiving reports about issues, which brought into question the quality control for this release.
We want to acknowledge and address the challenges and concerns raised by the community following the release of 8.5.0, and subsequently 8.5.1. The feedback is invaluable to us, and we appreciate your candid insights.
The 8.5.0 release introduced breaking changes that affected our users. While we swiftly addressed the initial issues with the release of 8.5.1 on January 15th, subsequent reports have brought to light a myriad of problems that have understandably caused frustration and concerns among members of the WooCommerce community, from merchants to developers.
8.5 produces a fatal error on upgrade:
On December 20th, 2023, a PR was merged which meant to activate the new Marketplace react-based UI by default, removing the option to disable it manually. Unfortunately, the PR caused a fatal error when the Marketplace feature flag was enabled. Despite being merged in time for the 8.5 code freeze, the release was scheduled for January 9th, with a skipped release on December 26th due to the holiday.
The issue was present in the Beta cut, and Kathy Darling, a frequent contributor, caught the issue and submitted a PR, which was reviewed and approved by the engineering teams, but was never merged, in part because of some persistent build related issues. A separate PR was created when working on the 8.5.1 fix release.
Ultimately, the issue was overlooked, and the 8.5.0 version was released with the affected code present.
The default web application firewall (WAF) rules on some hosting providers were not compatible with 8.5, causing some stores to unexpectedly become inaccessible [1, 2]. This resulted in a number of WooCommerce stores running on certain hosts that have rules in their Web Application Firewall to experience 403s when the sbjs_first cookie is set by Sourcebuster as part of the Order Attribution feature.
With the release of 8.5.1, many new scripts were added to sites with WooCommerce, causing understandable concerns around performance and possible errors from the community.
What we plan to do about it
During the aftermath of this issue, we have identified different points where we could have mitigated some of these issues, as well as steps we are taking to course correct.
8.5 produces a fatal error on upgrade
- Testing of the initial PR had room for improvement. Although we have an existing PR review process, which includes rigorous testing, we will be reinforcing the need for better testing.
- We will be more rigorous in writing and enforcing clear testing instructions in PRs, including explicit directions for new features or changes.
- We plan to strengthen our communication channels for issue triage, with a focus on timely and broad communication so that when issues like this one are present, we can make the appropriate call as to how to proceed with a release.
- A more robust automated notification system may have alerted us to this error earlier on in our release process, which is why we are exploring the implementation of such a system to help us catch these issues sooner.
- We are working to reach out to some of the WAF ruleset providers like Comodo and OWASP to have all Sourcebuster cookies allowed.
- Modify our forked Sourcebuster library to use values that don’t cause issues. Simply changing the delimiter from ||| to || no longer matches the WAF rule, for example.
As a globally used product, we are committed to ensuring the best possible experience we can for all of our users.
As a result, we will be adding the question of whether each release is GDPR-compliant to our release checklist.
We have created an issue and are working on a fix to remove unnecessary bloat from the platform.
We will implement monitoring of asset payload size and impacts on performance both during development and as a part of our release process.
We want to iterate our gratitude in the time the community has spent surfacing and even investigating some of these issues. We are committed to having open communication with the community and being increasingly responsive during situations like this one. So we appreciate your candor and feedback, as a way to help us improve our processes and ultimately this platform.