Skip to content

chore: upgrade FrankenPHP to 1.12.4 and Keycloak to 26.6#649

Merged
vincentchalamon merged 4 commits into
4.3from
chore/frankenphp-1.12.4
Jun 4, 2026
Merged

chore: upgrade FrankenPHP to 1.12.4 and Keycloak to 26.6#649
vincentchalamon merged 4 commits into
4.3from
chore/frankenphp-1.12.4

Conversation

@vincentchalamon

@vincentchalamon vincentchalamon commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

What

Pins/bumps third-party Docker images:

  • FrankenPHP 1 (floating) → 1.12.4 (base + builder stages, api/Dockerfile)
  • Keycloak 26.426.6 (helm/api-platform/keycloak/Dockerfile)
  • keycloak-config-cli 6.5.0-266.5.1-26 (helm/api-platform/values.yaml)

Why

FrankenPHP v1.12.4 is a security release:

  • Blocks underscore HTTP header spoofing (Caddy dash-to-underscore $_SERVER collision)
  • Bundles Caddy 2.11.4 security fixes (TLS client-auth, Windows path matcher, rewrite placeholder, GHSA-vcc4-2c75-vc9v)
  • Bundles Mercure 0.24.2 hardening (SSE field injection CWE-93, reserved topic forgery, Last-Event-ID disclosure, DoS caps)

Ref: https://github.com/php/frankenphp/releases/tag/v1.12.4

Keycloak 26.4 → 26.6 picks up upstream security/bug fixes; config-cli bumped to the matching latest patch.

Other images (node:lts, postgres:16-alpine, redis:8-alpine, cloudnative-pg/postgresql:16) use floating tags and update on rebuild.

Closes #648

🤖 Generated with Claude Code

vincentchalamon and others added 2 commits June 4, 2026 15:50
Security release: blocks underscore header spoofing, bundles Caddy
2.11.4 and Mercure 0.24.2 security fixes. Pins both build stages to
the fixed version. Closes #648.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Picks up upstream Keycloak security/bug fixes (26.4 -> 26.6) and the
latest keycloak-config-cli patch aligned on Keycloak 26.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vincentchalamon vincentchalamon changed the title chore(api): upgrade FrankenPHP to 1.12.4 chore: upgrade FrankenPHP to 1.12.4 and Keycloak to 26.6 Jun 4, 2026
@vincentchalamon vincentchalamon added the deploy Deploys Pull Request label Jun 4, 2026
Keycloak 26.5+ no longer auto-registers script-based authorization
policies. The bundled owner-policy.jar deploys "script-owner-policy.js",
so realm import failed with "Couldn't find policy provider". Enable the
scripts feature via KC_FEATURES so it loads in both start (optimized)
and start-dev modes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Temporarily revert the Keycloak 26.6 / config-cli bump to confirm it is
the cause of the E2E @Write regression. FrankenPHP 1.12.4 (issue #648)
is kept.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vincentchalamon vincentchalamon merged commit 9ab8942 into 4.3 Jun 4, 2026
7 checks passed
@vincentchalamon vincentchalamon deleted the chore/frankenphp-1.12.4 branch June 4, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

deploy Deploys Pull Request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security update: FrankenPHP v1.12.4

1 participant