From 229b61e6596506cc60b61a2de3a865e5127a9397 Mon Sep 17 00:00:00 2001
From: loks0n <22452787+loks0n@users.noreply.github.com>
Date: Sun, 7 Jun 2026 17:14:11 +0100
Subject: [PATCH 1/2] Bump php:8.5-alpine base digest to patch
 curl/libxml2/xz/nghttp2 CVEs

The pinned base (dccc3abc) shipped vulnerable curl 8.17.0-r1, libxml2
2.13.9-r0, nghttp2-libs 1.68.0-r0 and xz 5.8.2-r0. Upstream rebuilt
php:8.5-alpine (same Alpine 3.23.4) with the patched packages
(curl 8.19.0-r0, libxml2 2.13.9-r1, nghttp2-libs 1.69.0-r0,
xz 5.8.3-r0), clearing the open Trivy alerts:

  CVE-2026-6732 (libxml2, HIGH), CVE-2026-27135 (nghttp2, HIGH),
  CVE-2026-34743 (xz), CVE-2026-1965/3783/3784/3805/2025-14017/
  14524/14819 (curl).

Bumping the pinned digest keeps builds reproducible rather than
floating package versions with apk upgrade.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index fb5fb2b..92453ec 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Pin php:8.5-alpine by multi-arch index digest. Bump with:
 #   docker buildx imagetools inspect php:8.5-alpine | head -2
-ARG BASE_IMAGE="php:8.5-alpine@sha256:dccc3abcf3d37a6bb081477a66ed4344716784a6ef5107625ae6ba9ec52df778"
+ARG BASE_IMAGE="php:8.5-alpine@sha256:3cfccf28acfbb58ae991324612a3b0e2062a572026bb4dca030020e5295d1633"
 
 FROM $BASE_IMAGE AS compile
 

From 1786d7a79cb1882703ce3bfb8cbb5af6738eb023 Mon Sep 17 00:00:00 2001
From: loks0n <22452787+loks0n@users.noreply.github.com>
Date: Sun, 7 Jun 2026 17:40:02 +0100
Subject: [PATCH 2/2] Loosen PHP version structure test to 8.5.* (base bump
 ships 8.5.7)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 tests.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests.yaml b/tests.yaml
index 7020321..926e132 100644
--- a/tests.yaml
+++ b/tests.yaml
@@ -91,7 +91,7 @@ commandTests:
     command: "php"
     args: ["-v"]
     expectedOutput:
-      - "PHP 8.5.5 (cli)*"
+      - "PHP 8.5.* (cli)*"
   - name: 'ImageMagick supported formats'
     command: "php"
     args: ["-i"]