Old Plugin Version Downloaded Due to Cached API Response in Transient

[ShyamGadde]

Bug Description

When activating a plugin from the Performance Lab settings page shortly after a new version is released, there is a possibility that an older version will be downloaded. This is because the response from the plugins API query is cached in a WordPress transient (_transient_perflab_plugins_info), which has a default lifetime of one hour. During this time, the cached plugin data, including the version and download link, may still point to the older version.

Code responsible for the plugin installation:

performance/plugins/performance-lab/includes/admin/plugins.php

Lines 354 to 357 in 20a038f

	// Replace new Plugin_Installer_Skin with new Quiet_Upgrader_Skin when output needs to be suppressed.
	$skin = new WP_Ajax_Upgrader_Skin( array( 'api' => $plugin_data ) );
	$upgrader = new Plugin_Upgrader( $skin );
	$result = $upgrader->install( $plugin_data['download_link'] );

To illustrate, the unserialized values of the _transient_perflab_plugins_info transient look like this:

Array
(
    ...

    [optimization-detective] => Array
        (
            [name] => Optimization Detective
            [slug] => optimization-detective
            [short_description] => Provides an API for leveraging real user metrics to detect optimizations to apply on the frontend to improve page performance.
            [requires] => 6.5
            [requires_php] => 7.2
            [requires_plugins] => Array
                (
                )

            [download_link] => https://downloads.wordpress.org/plugin/optimization-detective.0.7.0.zip
            [version] => 0.7.0
        )

        ...
)

Scope of the Issue

This issue is relatively rare and occurs only under specific conditions:

1. A new version of a plugin in Performance Lab has just been released.
2. The transient data is already present and has not expired.
3. The plugin activation attempt happens within the transient's one-hour lifetime.

While this is not a critical issue (users can always go to the main Plugins page to update manually), it may cause confusion in situations where the latest version is expected to be installed immediately from the settings page.

Steps to reproduce

Reproducing this behavior required manually altering the transient data (_transient_perflab_plugins_info) in the WordPress database. I did this by modifying the download_link value for the Optimization Detective plugin in the wp_options table. Specifically, I changed the link to https://downloads.wordpress.org/plugin/optimization-detective.0.7.0.zip to simulate the presence of an older version.

This manual adjustment was necessary because there isn't an easy way to trigger this scenario without an actual new plugin version release.

[westonruter]

Interesting. I wasn't aware that the download_link was being used to install the plugin. Two possible ways I can see that this should be fixed:

First of all, the PL plugin's version to the transient key to ensure that whenever a new version of the PL plugin is released, the cache will be invalidated so that the latest plugins will be fetched. A couple problems with this, however:

1. The PL plugin could be published before other plugins. This means someone could in theory access the Performance screen immediately after updating the PL plugin but before another plugin was updated (or the update is reflected in the WordPress API response), resulting in a stale plugin being downloaded.
2. Standalone plugins may be updated outside the monthly release cycle, resulting in those updates not being installable from the Performance screen for up to an hour.

Instead of adding the plugin's version number to the transient key, I think a better solution may be to just strip the version number off of download_link. So https://downloads.wordpress.org/plugin/optimization-detective.0.7.0.zip would instead become https://downloads.wordpress.org/plugin/optimization-detective.zip. This will then automatically download the latest version.