As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That has led to us finding plugins using vulnerable libraries. And in the case of one of them, the plugins not being updated to a newer version of the library since we reached to the plugins’ developers. Looking into a library included in a security plugin, we found that libraries can have complicated histories. Leading, in this case, to a library copied from a copy of a library and then having the middle link abandoned.

The library in the plugin is listed by GitHub as being a fork of another library:

That library is, in turn, listed as a fork of another library:

So a fork of a fork.

From there, things get more complicated.

The most recent update to the original library that was forked is by the developer of the first fork:

Looking back at the first fork, it isn’t being updated anymore:

So it looks like the developer took over the original and then abandoned their fork.

Going back to the library in the plugin, it is described as “a simple fork of mkopinsky/zxcvbn-php to enable PHP 8 support by avoiding usage of the reserved match keyword.” Looking at the original library that was updated to make that change on November 20, 2020. That is one day before it happened in the fork of a fork.

It would seem better that the plugin switch over to the original library, as that is probably more likely to be notified if there was a security issue in the library.