v4.3.4

🔐 Security Update for NGINX users

Note

CVEs below are in nginx/nginx upstream, not in this repo. This PR only bumps the NGINX we install.

Important

If you are running a 7.4-fpm-nginx-alpine or 8.0-fpm-nginx-alpine, you will still be vulnerable because PHP no longer is providing image updates. See our SECURITY.md for more information why we still provide old versions.

---

Upstream CVEs (NGINX 1.28.3)

CVE	CVSS 3.1	NVD	nginx	Issue	F5 advisory
CVE-2026-27654	8.2	High	Med	ngx_http_dav_module buffer overflow	K000160382
CVE-2026-27784	7.8	High	Med	ngx_http_mp4_module (32-bit; mp4)	K000160364
CVE-2026-32647	7.8	High	Med	ngx_http_mp4_module crafted MP4	K000160366
CVE-2026-27651	7.5	High	Low	Mail auth CRAM-MD5/APOP, Auth-Wait	K000160383
CVE-2026-28755	5.4	Med	Med	Stream OCSP bypass	K000160368
CVE-2026-28753	3.7	Low	Med	ngx_mail_smtp_module CRLF / DNS	K000160367

Fixed in 1.28.3+ stable (1.29.7+ mainline) per nginx.org advisories.

What's Changed

• (docs) Remove healthcheck from frankenphp configuration by @emaia in #661
• Security: Update NGINX version for Alpine and Debian configurations to 1.28.3 by @jaydrogers in #666

New Contributors

• @emaia made their first contribution in #661

Full Changelog: v4.3.3...v4.3.4

v4.3.3

🤩 What's new

• Upgrade FrankenPHP to v1.11.3 by @kohenkatz in #660

📕 Docs

• Bump @serversideup/project-switcher-bar from 0.0.4 to 0.0.5 in /docs by @dependabot[bot] in #658

Full Changelog: v4.3.2...v4.3.3

v4.3.2

Upgrades FrankenPHP to v1.11.2 which includes security updates, including one with HIGH severity:

🛡️ Security Fixes (from FrankenPHP's repo)

• GHSA-g966-83w7-6w38: Path confusion via Unicode casing in CGI path splitting could allow execution of arbitrary files.
• GHSA-r3xh-3r3w-47gp: Fixed a session leak between requests handled by workers.
• GHSA-x9p2-77v6-6vhf: Fixed delayed propagation of security fixes in upstream base Docker images.

Full Changelog: v4.3.1...v4.3.2

v4.3.1

🔐 Security update

• Updates NGINX to v1.28.2 which addresses a SSL upstream injection vulnerability (CVE-2026-1642). (Fixes #648)

🏃‍♂️ CI/CD

• Converted to the Depot CLI for building docker images, reducing build times and improving build reliability (thanks for sponsoring our project, Depot! 🎉)

Full Changelog: v4.3.0...v4.3.1

v4.3.0

🤩 What's new

• Update PHP base operating systems. Add Alpine 3.23 support (#638)
• Upgraded NGINX to v1.28.1
• Upgraded FrankenPHP to v1.11.1

🔐 Security Improvements

• Prevent all .php files from being executed from /storage/* for NGINX, Apache, and FrankenPHP (#641)
• Refactor and improve security headers, file blocks, etc (#631)

⏫ Dependency Upgrades

• Updated PHP extension installer to 2.9.27
• Updated a number of GitHub Action libraries for CI/CD
• Upgraded our GitHub Actions runners to faster systems (Thanks Depot!)

⭐️ New Contributors

• @alisalehi1380 made their first contribution in #636
• @alloylab made their first contribution in #638
• @marns93 made their first contribution in #631
• @Tamas-hi made their first contribution in #630

Full Changelog: v4.2.1...v4.3.0

v4.3.0-beta1

🤩 What's new

• Update PHP base operating systems. Add Alpine 3.23 support (#638)
• Upgraded NGINX to v1.28.1
• Upgraded FrankenPHP to v1.11.1

🔐 Security Improvements

• Prevent all .php files from being executed from /storage/* for NGINX, Apache, and FrankenPHP (#641)
• Refactor and improve security headers, file blocks, etc (#631)

⏫ Dependency Upgrades

• Updated PHP extension installer to 2.9.27
• Updated a number of GitHub Action libraries for CI/CD
• Upgraded our GitHub Actions runners to faster systems (Thanks Depot!)

⭐️ New Contributors

• @alisalehi1380 made their first contribution in #636
• @alloylab made their first contribution in #638
• @marns93 made their first contribution in #631
• @Tamas-hi made their first contribution in #630

Full Changelog: v4.2.1...v4.3.0-beta1

v4.2.1

⏫ Dependency update

• Update FrankenPHP to v1.10.1 by @jaydrogers in #623

See the official FrankenPHP release notes for what's new.

Full Changelog: v4.2.0...v4.2.1

v4.2.0

🤩 What's new

• FrankenPHP has been upgraded to v1.10.0. Check the official FrankenPHP release notes for what's new in this version

Full Changelog: v4.1.0...v4.2.0

v4.1.0

PHP 8.5 now available 🎉

Our default images now ship with PHP 8.5! This new version of PHP includes:

• URI Extension
• Pipe Operator
• Clone With
• A new #[\NoDiscard] attribute
• Closures and first-class callables in constant expressions
• Persistent cURL share handles

Read all about what's new →

NGINX Unit has now been removed 🫡

Note

NGINX stopped maintaining the NGINX Unit project in October 2025. Read the official announcement →

Although we had a lot of fun putting together the NGINX Unit variation, we had to remove it from our project because it's no longer maintained. Thankfully we have options for those who use our NGINX Unit variations. We put together documentation for you on what you should do next if you're affected by Unit being discontinued.

Learn more what to do next→

Full Changelog: v4.0.0...v4.1.0

v4.1.0-beta1

🤩 What's new

• Adds PHP 8.5 support 🎉
• Removes NGINX Unit from the project (farewell 🫡)