←back to thread

ACF Plugin no longer available on WordPress.org

(www.advancedcustomfields.com)
221 points michaelcampbell | 5 comments | 13 Oct 24 15:44 UTC | HN request time: 0.43s | source
Show context
system2 ◴[13 Oct 24 19:15 UTC] No.41830709[source]
Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.

EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...

EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.

replies(13): >>41830770 #>>41831019 #>>41831125 #>>41831219 #>>41831312 #>>41831371 #>>41831420 #>>41831589 #>>41831598 #>>41831645 #>>41832233 #>>41833738 #>>41835660 #
Cyberdog ◴[13 Oct 24 20:19 UTC] No.41831219[source]
How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
replies(2): >>41831671 #>>41831683 #
1. sgdfhijfgsdfgds ◴[13 Oct 24 21:15 UTC] No.41831671[source]
Wordpress has a (highly effective) auto-updates mechanism for security patches.

It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.

(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)

The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.

And in fact, very little has changed.

replies(1): >>41832441 #
2. arielcostas ◴[13 Oct 24 22:51 UTC] No.41832441[source]
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
replies(2): >>41832595 #>>41834608 #
3. sgdfhijfgsdfgds ◴[13 Oct 24 23:17 UTC] No.41832595[source]
Yeah.

I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.

As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.

But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.

https://wordpress.org/plugins/advanced-custom-fields/advance... (scroll down to the bottom and you can download the previous version to diff it)

So as far as the poor benighted plugin updater is concerned, it's just a change to the display name, which is inconsequential.

[0] WP Engine do, ironically, on a pretty short timescale!

4. mldevv ◴[14 Oct 24 05:55 UTC] No.41834608[source]
Yes and that is a huge deal - I made this point to others that it shouldn't be considered a minor version change
replies(1): >>41840583 #
5. sgdfhijfgsdfgds ◴[14 Oct 24 18:47 UTC] No.41840583{3}[source]
Right. And actually this small detail is emblematic of the whole problem.

When you roll out an auto-updates mechanism you're saying to the people who enable it "you can trust us to do the right thing with your project while you are elsewhere -- this is a risk but it's one we manage for your benefit".

If you roll out a change for purely political/commercial reasons that are ultimately not your end user's concern -- we're not a party to that lawsuit -- then you're undermining the trust in that mechanism entirely.

It was a stupid, arrogant, underhanded thing to do.