Fighting A Bad Upstream Package Update: Imagick

Over the weekend, many of our servers started to exhibit weird behavior. Commands and processes that were working just fine suddenly failed with little explanation.

Upon deeper inspection we discovered that the maintainer of the Imagick PHP module had changed the package to be a “meta” package.

Imagick is a module that WordPress relies on for image manipulation.

And, a “meta” package is simply a pointer to a series of other packages – usually packages for different versions of PHP.

In this case, the pointer included a version of Imagick for PHP 8.0 RC1.

On the surface this shouldn’t be a big deal. However, it turned out to be a very big deal and the maintainer eventually reverted part of the change – but not before a number of servers were added or updated with unwanted packages.

Anyone who depended on the original link to get a single copy of the Imagick php module now ended up getting a version for PHP 8.0 RC1 as well – which meant that the dependency resolution mechanism in apt-get (the Ubuntu package manager) downloaded and installed PHP 8.0 RC1 onto production servers.


We originally thought this issue only affected new servers and so we pushed out an emergency patch for new servers to make sure we handled the new ‘meta’ package properly.

But, as it turns out, that would not be enough.

48 hours later we realized that EXISTING servers were getting the bad package as well via their auto-update mechanism.

Double Yikes.

So now we had to scramble to push out a new fix to revert the bad updates.

What do you need to do?

If you had a server that was installed prior to October 11th 2020, you should assume that you are affected by this Imagick update. To apply the changes to your servers:

  • Log into your account and download the latest version of WPCD – it should be 4.0.1
  • Delete your existing WPCD and upload and activate this new version.
  • Navigate to one of your servers and go to the TOOLS tab.
  • Click on the button labelled REMOVE PHP 8.0 RC1 & RESET IMAGICK MODULE.
  • Repeat for all other affected servers – any server deployed prior to October 11th 2020.
  • If you accidentally run the process for newer servers it should not result in any issues.

Wrap Up

We apologize for this issue – as with most software systems these days, the interconnectedness of the package ecosystem sometimes comes back to bite us. In this case we were simply at the mercy of a bad upstream package update.

Automatic Notification Of New Articles

Sign up to get automatic notifications of new articles.  This is a different list than our standard list - you only get new articles once a week (usually on Mondays).  No other emails will be sent unless you sign up for our general list as well.