PHP · RFC Watch
PHP Internals ([RFC]/[VOTE]), July 7, 2026 — An RFC proposes multiple deprecations targeting PHP 8.6. Discussion on the internals list focuses on the absence of impact analysis for existing code in many proposals. Contributors debate the need for systematic assessment before removing features and suggest using tools such as PHPCompatibility to evaluate real-world effects across codebases.
curated by Georg
PHP · Security
FrankenPHP Releases, July 10, 2026 — FrankenPHP 1.12.4 closes HTTP header spoofing via underscore collision, bundles Caddy 2.11.4 and Mercure 0.24.2 security patches, and fixes worker-mode crashes and data races. The CGI dash-to-underscore mapping allowed attackers to forge headers; Caddy now strips underscores at server layer. All users should upgrade immediately.
curated by Heiko
PHP · Releases
Composer Releases, July 8, 2026 — Composer 2.10.2 delivers multiple security fixes: package name validation, protection against path traversal in bin paths, sanitization of credentials in verbose output, stricter redirect handling, and prevention of phar metadata unserialization. Additional changes include retry logic for GitHub downloads, improved audit output, self-update warnings for EOL versions, and several bug fixes.
curated by Georg
The Wider Stack
Dev · Security
Django has released versions 6.0.7 and 5.2.16 to address three low-severity security issues across supported branches. The fixes cover a cached Set-Cookie exposure risk, a heap buffer over-read in GDALRaster, and a header injection possibility in DomainNameValidator. Users are advised to upgrade pro…
curated by Charlie