Skip to content

What’s New in the Roots.io Ecosystem: A Year of Major Releases (2025–2026)

Emnes
Timeline illustration showing 2025-2026 major Roots.io releases including Sage 11, Lima, and WP Packages

The twelve months between April 2025 and April 2026 were the busiest period in the Roots.io ecosystem’s history. Every core tool shipped a major release, two entirely new projects launched, a decade-old local development tool was retired and replaced, and the Composer side of WordPress got two new community-run repositories that promise to reshape how the ecosystem handles dependencies and security. If you last touched a Roots.io project in early 2025, a lot has changed — and most of the changes are worth adopting.

This post is a complete, chronological tour of what’s new in the Roots.io ecosystem in 2025 and 2026. We’ll cover Bedrock 1.29 and 1.30, Sage 11 and the Acorn v5 / v6 upgrade path, Trellis dropping Vagrant in favor of Lima, the launch of WP Packages and WP Sec Adv, the new Acorn ecosystem packages (AI, Post Types, User Roles), and the latest Radicle release. For each change, we’ll explain what it is, why it matters, and whether you need to act on it.

If you haven’t read the first post in this series, start with The Roots.io Stack in 2026 for the mental model. This post assumes you know what each tool is and focuses on the diffs.

Bedrock: The PHP 8.3 Cutover, Pest Testing, and WP Packages

Bedrock’s 2025–2026 release cycle delivered five notable updates, with the current stable at 1.30.1 (released March 19, 2026).

1.29.0 — PHP 8.3 Minimum and Pest Testing

Released March 10, 2026, Bedrock 1.29.0 raised the minimum PHP version to 8.3, matching Sage and Acorn. This is a breaking change for any project still on PHP 8.1 or 8.2 — update your server’s PHP version before upgrading Bedrock.

The release also added:

  • A Pest testing scaffold. Pest is a more expressive, readable alternative to PHPUnit, and Bedrock now includes an initial test directory with configuration wired up so you can start writing tests without setup friction.
  • Opt-in WordPress development mode. The WP_DEVELOPMENT_MODE constant (WordPress 6.3+) is now first-class in Bedrock’s environment configuration.
  • Environment-loading reliability fixes for edge cases involving symlinked .env files and Docker volumes.

1.30.0 / 1.30.1 — Migration from WPackagist to WP Packages

The headline change in March 2026’s Bedrock releases was the migration from WPackagist to the new WP Packages repository (covered in detail in the next post in this series). New Bedrock projects scaffold with WP Packages as the default Composer repository; existing projects can migrate with a one-line change to composer.json.

The bedrock-autoloader package also hit v1.1.0, adding plugin filtering (you can now exclude specific plugins from must-use autoloading) and better symlink handling for Dockerized development environments.

Why It Matters

The PHP 8.3 requirement is a hard dependency bump: if you haven’t updated your server’s PHP version, upgrading Bedrock will break installs. Pest being built-in lowers the barrier to writing tests, which historically has been a weak area in WordPress projects. The WPackagist → WP Packages migration is optional but recommended for the reliability and dev-trunk improvements.

Sage 11: Vite Replaces Bud, Tailwind 4, Acorn v5/v6

Sage 11 was the single biggest change in Roots history since Sage 9 moved to Webpack. The rewrite landed as v11.0.0 in March 2024, stabilized through 2024, and hit v11.2.0 in March 2025 — the version most new projects should start from today.

What Changed in v11

  • Bud.js is out, Vite is in. Bud was a Roots-maintained wrapper around Webpack; Vite is the broader JavaScript ecosystem’s answer to Webpack’s speed and complexity problems. Builds are faster, HMR is instant, and the dependency surface is smaller.
  • Tailwind CSS v4 is the default. The CSS-first configuration (@theme blocks inside the CSS file instead of tailwind.config.js) is the new canonical approach.
  • Acorn v5 as a dependency, later bumped to Acorn v6 in v11.2.0.
  • PHP 8.3 minimum — again, check your server before upgrading.
  • Block editor HMR works. Save a CSS file and the iframed block editor refreshes styles without a full page reload.

v11.1 and v11.2 — Vite 8 and theme.json Partials

The point releases refined the Vite integration. v11.1.0 (March 23, 2025) added Vite v8 support via @roots/vite-plugin v2. One breaking change to watch: import.meta.glob patterns need to move from Vite config into laravel-vite-plugin‘s assets option, a one-line migration covered in the Sage changelog.

The Roots Vite Plugin v2.1.0 (April 7, 2026) added a long-requested feature: theme.json partials. Block-specific styles can now live in co-located .theme.js files next to their blocks, and the build step merges them into a single theme.json at the project root. This scales much better than a single 2,000-line theme.json for large design systems.

If You’re Still on Sage 10

Sage 10 projects are not deprecated — they still work and receive security patches — but the bulk of new Roots work assumes Sage 11. If you’re starting a new project today, start with 11. If you’re on 10 and considering an upgrade, plan for a one-to-two-week effort: the Blade templates largely carry over, but every asset pipeline customization needs to be ported from Bud to Vite.

Trellis: Vagrant Retired, Lima VMs In

The biggest Trellis change in over a decade shipped in October 2025: Vagrant support was dropped entirely, replaced by Lima VMs. The official Trellis Drops Vagrant in Favor of Lima blog post has the full rationale, but the short version: Vagrant was slow, had too many abstraction layers (Ruby on top of VirtualBox on top of the host OS), and the VirtualBox side was increasingly unmaintained.

Lima uses native virtualization frameworks — the Virtualization.framework on macOS, KVM on Linux — with almost no abstraction overhead. For WordPress development specifically:

  • File sync is faster. Vagrant’s NFS/rsync setup was a notorious pain point for large WordPress projects with thousands of uploaded media files. Lima’s mount handling is dramatically better.
  • Boot time drops. A fresh trellis vm start finishes in 30–60 seconds, where Vagrant provisioning commonly took 3–5 minutes.
  • Memory footprint is smaller. No VirtualBox overhead.
  • Apple Silicon support is first-class. VirtualBox on Apple Silicon was always compromised; Lima uses the native Virtualization.framework and runs natively on M1/M2/M3/M4.

Windows users will want to run Lima inside WSL2, or use a different local development setup (Docker, LocalWP) while still using Trellis for remote provisioning and deploys.

Trellis 1.28 through 1.31 — The Smaller Changes

Across the release cadence:

  • v1.28.0 (March 2025) — Ansible 2.19, default branch renamed from master to main, Redis as the default PHP session storage.
  • v1.29.0 (March 2025) — HTTP/3 support in nginx, opt-in WordPress runtime hardening (disables file editing, blocks REST user enumeration).
  • v1.30.0 (March 2025) — OPcache JIT disabled by default due to a PHP 8.3 tracing-mode memory leak. Composer custom-header authentication for premium plugin repositories.
  • v1.31.0 (April 2025) — ssmtp replaced with msmtp (new Galaxy role roots.msmtp), Subversion added to default packages for Composer compatibility.

trellis-cli 1.16 / 1.17 — Pluggable Cloud Providers

The CLI gained pluggable server providers in December 2025. Hetzner Cloud and DigitalOcean are now first-class: one command spins up a new VPS, adds it to your Ansible inventory, and runs initial provisioning. For teams that manage many sites, this collapses what used to be a 10-step server-provisioning runbook into a single command.

Acorn: v5, v6, and a Growing Ecosystem

Acorn’s 2025–2026 releases aligned it with Laravel’s own versioning. Acorn v5 brought Laravel v12 compatibility and the Application::configure() pattern; Acorn v6 (March 2025, announced on the Roots blog March 2026 as “Acorn v6 Released“) brought Laravel v13 and made PHP 8.3 the minimum.

Key Changes in v5

  • Application::configure() replaced the old Bootloader pattern, bringing Acorn in line with Laravel’s current app-bootstrap conventions.
  • acorn:install and make:seeder commands — database seeders and install scaffolding are now first-class.
  • Scheduling commands at parity with Laravel — full cron-style scheduling for background jobs.
  • Session and flash data fixes (v5.1.0) for WordPress page-template requests and multisite cache isolation.
  • Superglobal restoration (v5.1.1) fixed a regression where Request::capture() didn’t properly restore $_GET/$_POST.

The New Acorn Packages

Three new first-party Acorn packages shipped in the last 10 months, each tackling a problem WordPress doesn’t have clean primitives for:

  • Acorn Post Types (June 2025) — declarative config-driven custom post types and taxonomies. A single config/post-types.php file replaces dozens of lines of register_post_type() boilerplate. Wraps the popular Extended CPTs library.
  • Acorn User Roles (March 2026) — declarative user roles in config/user-roles.php with strict mode and explicit-denial capabilities. Solves the “capabilities added by a deactivated plugin persist in the database” problem by making roles a config artifact rather than a stateful thing.
  • Acorn AI (February 2026) — bridges WordPress’s new Abilities API with Laravel’s laravel/ai package. Abilities become service-container-resolved with full dependency injection, API keys live in a single .env (not wp_options), and AI-backed features compose cleanly with the rest of an Acorn app.

Each of these is a standalone Composer package — you install what you need, nothing you don’t.

Radicle v2.6.0 — Laravel-Style Migrations and More

Radicle, the paid all-in-one Roots starter, reached v2.6.0 on April 13, 2026. The 2.x line continued to refine the Laravel-parity directory structure and shipped several quality-of-life improvements:

  • Acorn v6 as the baseline dependency.
  • Updated mu-plugin defaults — newer versions of Extended CPTs, Allow SVG, Query Monitor, Acorn Prettify, Acorn Mail, Blade Icons.
  • Improved Laravel-style migrations, documented in Kinsta’s tutorial “Running Laravel-style database migrations in WordPress with Radicle” which is effectively the semi-official Radicle migrations guide.
  • wp acorn make:block improvements for scaffolding dynamic blocks with server-side rendering and editor UI.
  • Pest testing wired up by default.

Radicle remains the only paid Roots product. For teams that have bought in, the v2.6 release is a clean incremental upgrade. For teams still deciding, the feature gap between “Bedrock + Sage + Acorn glued together yourself” and Radicle keeps widening — but the tradeoff is the same as always: pay for the pre-wired integration or spend the time doing it yourself.

The New Composer Infrastructure: WP Packages and WP Sec Adv

The two entirely new projects Roots launched in 2026 sit at the Composer layer and affect every Roots user regardless of which core tool they use.

WP Packages (March 2026)

WP Packages is an independent, open-source Composer repository mirroring the WordPress.org plugin and theme directory, announced on March 16, 2026 and renamed from “WP Composer” on March 19 after Composer co-creator Nils Adermann pointed out the name was confusing.

Key advantages over WPackagist:

  • Open-source codebase, community-funded.
  • Public status page (launched April 2, 2026).
  • SVN revision pinning for dev-trunk versions — stop getting surprise-changed plugin trunks between deploys.
  • GitHub Action that injects changelogs and stable-version warnings into pull requests.
  • Same package namespace conventions (wp-plugin/*, wp-theme/*) so migration is a one-line composer.json change.

WP Sec Adv (April 2026)

WP Sec Adv is a Composer repository that feeds WordPress-specific security advisories (sourced from Wordfence Intelligence) into composer audit, composer require, and composer install.

Historically, composer audit only caught vulnerabilities in PHP packages; WordPress plugins and themes installed via Composer were invisible to it. WP Sec Adv closes that gap. Run composer audit on a Bedrock project and you’ll now get warnings for known-vulnerable plugins, themes, and even WordPress core versions.

Features include:

  • Twice-daily updates from Wordfence Intelligence.
  • Custom mirror support for organizations that want to self-host the advisory feed.
  • Explicit suppressions with required documentation — you can suppress a specific advisory, but you must explain why, and the reason gets stored in your lockfile.
  • Replaces roave/security-advisories — which Bedrock removed in v1.28.4 because it only covered PHP packages, not WordPress plugins.

Together, WP Packages and WP Sec Adv represent a significant upgrade to the Composer-side infrastructure of the Roots ecosystem. Teams already on Bedrock get immediate benefits: more reliable package distribution, automatic security scanning, fewer surprises between deploys.

Notable Community and Philosophical Moments

A few Roots blog posts from 2025–2026 worth reading for ecosystem context:

  • “Stop using wp_localize_script for data” (Nov 2025) — Roots argued that wp_localize_script(), commonly used to pass PHP data to JavaScript, is misusing a function intended for internationalization. Use wp_add_inline_script() instead.
  • “REST API > admin-ajax.php” (Nov 2025) — a straightforward argument that admin-ajax is a legacy pattern; everything new should use the WordPress REST API.
  • “WordPress should adopt PER-CS and drop EOL PHP versions” (Dec 2025) — commentary on the WordPress community coding standards and PHP version support policy.
  • “Plugin headers are outdated” (March 2026) — a proposal to replace WordPress’s plugin header comment format with a plugin.json manifest, aligning with modern PHP conventions.
  • “The GiveWP incident and auto-updates” (Aug 2025) — the now-infamous incident where an auto-updated plugin release broke thousands of sites, used as a cautionary tale for why Composer + pinned dependencies beats auto-updates.
  • “Prefix namespaces in distributed plugins” (Oct 2025) — a guide to using PHP-Scoper to avoid Composer dependency conflicts in plugins that ship vendored dependencies.

Reading the Roots blog regularly is worth the time investment — it’s one of the best sources of opinionated, well-argued thinking on modern WordPress development.

What Should You Actually Upgrade?

If you’re on a Roots stack that hasn’t been updated in a year, here’s the priority order:

  • 1. Update your server’s PHP to 8.3+. Everything else depends on this.
  • 2. Upgrade Bedrock to 1.30.x. Get the WP Packages migration and Pest scaffolding. Run the full site locally first.
  • 3. Add WP Sec Adv to composer.json. Five-minute change, significant security-posture improvement.
  • 4. Upgrade Trellis to 1.31.x and switch local dev to Lima. Lima alone is worth the upgrade for macOS users.
  • 5. Upgrade Acorn to v6 and Sage to 11.2. Do this on a staging branch; the Bud-to-Vite migration takes real testing.
  • 6. If you’re on Radicle, upgrade to v2.6.0. Standard incremental upgrade.
  • 7. Evaluate the new Acorn packages (Post Types, User Roles) for your next project. Don’t retrofit them onto existing code unless you have a reason.

Frequently Asked Questions

Is Bedrock 1.30 backward compatible with older projects?

Mostly yes, with two exceptions: PHP 8.3 is required (hard break), and you’ll want to migrate from WPackagist to WP Packages (one-line composer.json change, not strictly required but recommended). Project-level code keeps working without changes.

Can I still use Vagrant with Trellis?

Not on Trellis 1.31+. The Vagrantfile was removed entirely. If you need to stay on Vagrant for some reason (organizational policy, legacy tooling), you’ll need to pin Trellis at 1.30.x, which is a dead-end branch. The migration to Lima is the expected path forward.

Do I need to migrate from WPackagist to WP Packages?

No, WPackagist still works and continues to be maintained. The migration is recommended for the reliability and dev-trunk pinning improvements, but it’s not urgent. If you have time, do it; if not, don’t let it block other work.

What’s the fastest way to adopt WP Sec Adv?

Add the repository to composer.json, run composer update, then run composer audit. Any advisories against plugins or themes in your project will surface as warnings. The whole adoption takes under ten minutes.

Is the Sage 10 → Sage 11 upgrade worth it for existing projects?

Only if you’re actively developing the theme. For a stable production site that rarely gets theme changes, Sage 10 continues to work fine. For projects under active design development, the Vite HMR and Tailwind 4 story alone justifies the migration effort — plan about a week for a medium-complexity theme.

Are there any 2026 releases still pending?

As of April 2026, the current stable versions are Bedrock 1.30.1, Sage 11.2.0, Trellis 1.31.1 (with trellis-cli 1.17.x), Acorn 6.0.0, and Radicle v2.6.0. New minor releases ship roughly monthly across the stack. Watch github.com/roots for release notifications.

Catch Up Incrementally, Not All at Once

The 2025–2026 release cadence was unusually heavy. If you’re coming back to a Roots project after a year away, don’t try to upgrade everything in one sprint — you’ll spend the whole week debugging PHP version mismatches and Composer resolution errors. Take the priority list above and work through it over a couple of sprints, testing after each step.

At Emnes, we’re running the full updated stack across 18 production WordPress sites. If you want help planning an upgrade or want to share notes on what broke during your own migration, get in touch. We’re always happy to compare notes.

Next in this series: The Roots.io Stack Explained is the 30,000-foot view; the next post goes deep on Bedrock specifically. Also see our guides to WordPress plugin security in 2026 and reading WordPress debug logs.