Behind the scenes: the WooCommerce bug that hid from its own test

Christopher Ross

5 min read

WordPress & CMS engineering · Fort Erie, Ontario

In this post
Title card for the article “Behind the scenes: the WooCommerce bug that hid from its own test” on This Is My URL

The week of June 13 was mostly spent inside other people’s repositories, which is not where my weeks usually go.

The open-source week: two merges and a bug that hid from its own test

I had close to thirty open pull requests scattered across the WordPress ecosystem in various states of half-finished, and this was the week I sat down to move them. Two landed. WP Super Cache merged a fix for the way it parses q-values in the Accept header, and CMB2 merged one that escapes a handful of attribute outputs that were going out raw. Both are the small, boring kind of correctness fix that nobody will ever notice working, which is exactly why I like sending them. I also opened new work against Custom Post Type UI, reworked a stalled plugin contribution, sent a code-of-conduct addition to Distributor, and filed a smaller request against Gutenberg.

The one I learned the most from was a WooCommerce pull request. I almost shipped a fix that would have quietly undone itself. The patch passed its own tests, which felt great. Then I ran an adversarial pass over my own work and found the problem: saving the order after my change would quietly overwrite the in-memory state the fix depended on. So I did the thing I should always do and mentally deleted the fix to see whether the test still passed. It did. A test that goes green whether or not the bug is fixed is not a test, it is a small green decoration. I rewrote both the change and the test, and that one catch is now a written rule I run before every contribution to a repository I do not own.

The bug that hid from its own test A branching logic flow. The fix sets the order’s in-memory state. From there two paths diverge. The test path reads that state right away and passes. The real-world path saves the order first, and the save overwrites the in-memory state the fix depended on, so the fix is undone and the bug returns. The save step, shown as the solid copper node, is the step the test path never runs, which is why the test passed whether or not the bug was fixed. WHY THE TEST PASSED The bug that hid from its own test The test read the fix before the save that would have undone it. TEST PATH REAL-WORLD PATH The fix sets the in-memory state The test reads that state right away The test passes Real use saves the order first The save overwrites that state The fix is undone, the bug returns The copper step is the save the test never runs. Delete the fix and the test still passes, so it was never testing the fix.
I drew the two paths so you can see why the test went green: it read the fix before the save that quietly overwrote it.

The 90-day content audit: twenty-seven posts and seventy pages against the rubric

The other large block of the week was a full pass over my own published library. I ran every post and every non-post page against the production rubric, ninety days of content, and brought all of it to ninety percent or better. That is twenty-seven posts and seventy other pages: services, tools, downloads, case studies, and project entries. A couple of posts were leaning on prose to carry an idea that quite obviously wanted a picture, so those got a diagram built and dropped in.

What an audit like this really does is make the gap visible. Most pages were already fine. The work was finding the handful that were quietly underperforming the standard I tell clients I hold, and fixing them before anyone else noticed. The thread running through it is the same one I argued in what WordPress 7’s AI layer means for plugin developers: the durable skill is the standard you hold, not the tooling you happen to be holding it with this year.

Colophon theme waves and an author bio rebuilt for search trust

The Colophon theme collection and the site’s own author identity took what was left. I moved the themes through several more audit waves, fixed continuous-integration failures across three of the repositories, and ran a security pass over the PHP, JavaScript, and CSS. On the site itself I rebuilt the author bio from the ground up for the trust signals search engines actually read: a real photograph, a dynamic link, a working social shortcode, and copy that earns the expertise it claims instead of asserting it. A schema audit on a ten-post sample turned up eight structured-data fixes, now live on the dev site.

What I took from the week

The contribution track changed how I read the rest of the work. When you send code into a project you do not control, you cannot lean on knowing how the whole thing fits together. The reviewer does not have your context, and the test has to prove the fix on its own.

On my own site I always have the context, which means I can quietly get away with a test that leans on it instead of proving anything. The WooCommerce catch was a good reminder that the standard worth holding everywhere is the one a stranger’s repository forces on you anyway. It is also the standard I bring to client work, which is the honest version of why anyone would hire me to do this. If you want last week instead, it is over here.

Keep reading

Working through something on your own site? Get in touch →

Leave a Reply

Your email address will not be published. Required fields are marked *

Your rating (optional)

Your name and email are stored with your comment; only your display name is shown publicly. See our privacy policy.