⚒️ FrankenPHP.dev, Mercure.rocks, @api-platform.com, @symfony.com
🧑💻 Founder of @les-tilleuls.coop, a developer co-op
Kévin Dunglas
Loading...
FrankenPHP 1.12.4 is out, a security hardening release.
Underscore header spoofing is now blocked at the server layer (Caddy 2.11.4), bundled Mercure 0.24.2 security fixes land, plus worker-mode crash and race fixes. Every user should upgrade.
github.com/php/frankenp...
FrankenPHP 1.12.4 is a hardening and stability release. It pulls in upstream security fixes from Caddy 2.11.4 and Mercure 0.24.2, closes a class of HTTP header spoofing, and fixes several crashes a...
github.com
Kévin Dunglas
🔒 API Platform CVE-2026-49858: JSON:API & HAL normalizers cached components across users on long-running runtimes (FrankenPHP, RoadRunner, Swoole).
Patched in 4.1.29 / 4.2.25 / 4.3.8 — upgrade now.
github.com/api-platform...
Today we published our Impact and Transparency Report for 2025. We are incredibly grateful for our sponsors, partners, contractors, & individual financial contributors for without them, none of our work would be possible. thephp.foundation/blog/2026/05...
#php #opensource
Let's face it: coding agents work pretty well these days, and Claude Code is the leader. That's why I recently patched Symfony Docker to support it out of the box.
### Impact
`#[ApiProperty(security: ...)]` is evaluated per request to decide whether a property is exposed. The `componentsCache` arrays in `ApiPlatform\JsonApi\Serializer\ItemNormalizer` and `Ap...
However, I wasn't comfortable shipping a proprietary tool using proprietary models controlled by a hostile state, all while having a heavy environmental impact. The sudden Fable ban finally convinced me this wasn't the way.
Ready to code at the speed of thought? ⚡
Forget Docker headaches and slow cache warmups. At #SymfonOnline, I’m showing how FrankenPHP redefines @symfony.com DX with instant setups, true hot reloading via Mercure, and sandboxed AI agent integration.
📅 June 12
🎟️ live.symfony.com/2026-online-...
Mercure 0.24.2 is out: a security hardening release. Rejects SSE field injection (CWE-93) via id/type, blocks reserved-namespace forgery, fixes a Last-Event-ID leak, caps element counts against DoS. Upgrade your hub.
github.com/dunglas/merc...
Consequently, I just unbundled Claude Code from Symfony Docker and added docs explaining how to install OpenCode with open-weight models (like Mistral Medium 3.5, GLM-5.2, DeepSeek AI v4), locally or remotely.
Use a French hosting provider to benefit from a greener power grid!
The docs also cover how to add Claude Code back if you still want to use it. OpenCode can also be used with any proprietary provider (Anthropic, OpenAI, Google...).
lnkd.in/ekU8GMYv
This is exactly why we built FrankenPHP's extension infrastructure!
Check out FrankenScriptling: a new extension that lets you use the Scriptling scripting language (Python-like) inside PHP.
Since Scriptling is in Go, FrankenPHP makes embedding it seamless. Love seeing this! 🐘🐹
This link will take you to a page that’s not on LinkedIn
Community Mercure 0.24.2 is a security hardening release. It closes an SSE field-injection vector (CWE-93), blocks forgery of the hub's reserved subscription-event topics, fixes a metadata leak in ...
