Update dunglas/frankenphp Docker tag to v1.12.3#7
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.12.2-php8-alpine→1.12.3-php8-alpineRelease Notes
php/frankenphp (dunglas/frankenphp)
v1.12.3Compare Source
This release fixes CVE-2026-45062 (high, CVSS 8.1): unsafe Unicode handling in CGI path splitting let an attacker have a non-
.phpfile executed as PHP via a crafted URL, in any deployment where attacker-controlled file names land on the served filesystem. All users on v1.11.2 through v1.12.2 should upgrade.It also brings a ~7-8% Hello World throughput bump from a refreshed PGO profile, configurable per-thread request limits, persistent-zval helpers for sharing state across threads, a cross-platform force-kill primitive for stuck PHP threads, correct
SCRIPT_NAME/PHP_SELF/PATH_INFOserver variables, and a long series offrankenphp extension-init(extgen) generator fixes by @alexandre-daubois.Released binaries now carry SLSA build-provenance attestations — verify with
gh attestation verify <binary> --owner phporgh attestation verify oci://docker.io/dunglas/frankenphp@sha256:... --owner php.🔒 Security
🚀 Features
max_requestsfor PHP threads by @nicolas-grekas in #2292🐛 Fixes
$_SERVERvariablesSCRIPT_NAME,PHP_SELF, andPATH_INFOcorrectly by @henderkes in #2317pthread_forkchildren by @henderkes in #2332INI_INT()macro by @zeriyoshi in #2387split_pathat provision time by @alexandre-daubois in #2350extgenparser hardening by @alexandre-daubois: better error handling (#2370), emit warnings to stderr (#2374), resetiotaper const block (#2375), escape control chars in C string literals (#2377), extract Go function bodies viago/ast(#2379), symmetric Go type compatibility check (#2380)⚡ Performance and Internal Improvements
perf(extgen): hoist const block regexes out of parser loop by @alexandre-daubois in #2378refactor: adddrain()seam tothreadHandlerinterface by @nicolas-grekas in #2367refactor(extgen): share signature and parameter parsing helpers by @alexandre-daubois in #2376📝 Documentation
llms.txt, and code-block hygiene by @dunglas in #2394migrate.mdby @francislavoie in #2337💖 New Contributors
Need help adopting FrankenPHP, hardening a PHP application against issues like CVE-2026-45062, or squeezing more performance out of your workers? Les-Tilleuls.coop — the team behind FrankenPHP — provides professional support, consulting, custom development, and training. Get in touch: contact@les-tilleuls.coop.
Full Changelog: php/frankenphp@v1.12.2...v1.12.3
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.