Skip to content

WP.org stable tag rollbacks can serve withdrawn versions #78

New issue
New issue
Open
Open
WP.org stable tag rollbacks can serve withdrawn versions#78
Labels
known issueKnown limitations or upstream issues
@retlehs

Description

@retlehs
retlehs
opened on Mar 29, 2026

Problem

WordPress.org plugin authors can roll back their stable release by changing the Stable tag in readme.txt without removing the newer SVN tag. The wp.org API's version field correctly reflects the stable version, but the versions map still includes the rolled-back tag — there's no flag or field to mark a version as withdrawn.

As long as a tag exists in SVN, we serve it in our Composer packages, and Composer/Dependabot/Renovate will resolve or update to it. There's nothing we can do about this without upstream changes to the wp.org API.

Recommended mitigation

Use the WP Packages Changelog Action in CI to get PR comments that warn when an installed version doesn't match the wp.org stable tag.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    known issueKnown limitations or upstream issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions