🐘 FrankenPHP 1.12.4 is out: a security hardening release. Highlights: - Underscore header spoofing blocked at the server layer. The bundled @caddyserver 2.11.4 now ignores header names containing underscores, closing a class of $_SERVER spoofing. - Bundled @MercureRealTime 0.24.2 security fixes: SSE field injection (CWE-93), reserved-topic forgery, Last-Event-ID disclosure, DoS amplification caps. - Worker-mode crash and data-race fixes: ext-parallel, metrics, save/close handler. Every user should upgrade. github.com/php/frankenphp/re…

🔒 @MercureRealTime 0.24.2 is out, a security hardening release for the real-time hub. It rejects SSE field injection (CWE-93) via the id and type fields, blocks forgery of the reserved /.well-known/mercure namespace, fixes a Last-Event-ID metadata leak, and caps element counts to defang DoS amplification. Every hub operator should upgrade. github.com/dunglas/mercure/r…

🛰 @MercureRealTime 0.24.1 is out, riding on @caddyserver 2.11.3. We just contributed native OTLP metrics push to Caddy upstream. Mercure hubs can now ship metrics straight to your OpenTelemetry collector. No Prometheus scrape job needed. Drop metrics { otlp } into your Caddyfile and the standard OTEL_* env vars do the rest. Endpoint, protocol, headers, interval, all of it. Pairs nicely with the OTel tracing that landed in 0.24, so traces metrics work end-to-end against any OTLP backend (Grafana Alloy, OTel Collector, Tempo/Mimir, Honeycomb, Datadog, …). Release notes: github.com/dunglas/mercure/r… Upstream Caddy PR: github.com/caddyserver/caddy…

🚀 Mercure 0.24 is out! @MercureRealtime gains native OpenTelemetry tracing for the Hub: dedicated spans nest under @caddyserver's tracing directive, with zero allocations when disabled. Also in this release: • file:// URLs for publisher_jwks_url and subscriber_jwks_url, so you can mount a JWK Set as a Kubernetes Secret instead of running a sidecar. • A @HelmPack chart that satisfies the restricted Pod Security Standard out of the box: rootless UID 1000, drop ALL caps, read-only rootfs. On the Enterprise side, all four production transports (Redis, PostgreSQL, Kafka, Pulsar) now emit OpenTelemetry spans too, with attributes and error recording matching the upstream pattern. github.com/dunglas/mercure/r…

🚀 @MercureRealTime v0.23.5 is out! This release focuses heavily on Helm chart hardening. After a recent cluster audit, we've shipped the necessary constraints directly into the OSS chart. Key highlights: 🔒 Opt-in NetworkPolicy & CiliumNetworkPolic 📁 readOnlyRootFilesystem works out of the box 🛡️ Restricted PodSecurity defaults I wrote a blog post breaking down the full story, the new security features, and how to configure them. Read it here: dunglas.dev/2026/05/mercure-… #Kubernetes #Helm #DevOps #MercureRocks

Learn how we cut our cloud costs by nearly 50% while improving the resilience and performance of the managed version of @MercureRealTime through infrastructure and code optimization: les-tilleuls.coop/en/blog/sc…

🚨 @MercureRealTime 0.23 is officially out! 🚨 This release brings a massive operational improvement for modern infrastructures, along with new Helm chart features. If you are running Mercure at scale, you'll want this update! 🚀 Here is what's new in v0.23.0: 🩺 Transport-aware Health Checks: Kubernetes (and other orchestrators) can now detect when a hub's transport connection is actually broken, rather than just checking if the Caddy process is alive. I’ve introduced new /mercure/health/{ready,live} endpoints. The old /healthz HTTP port endpoint is now deprecated. 🛥️ Helm Chart Upgrades: Added support for HTTProute as an alternative to Ingress for Gateway API-based clusters. In addition, you can now configure annotations directly on the Deployment resource. 🏢 Enterprise Goodies: All Enterprise transports (Redis, Postgres, Kafka, and Pulsar) fully implement the new health checks. Production clusters using managed brokers now get 100% accurate readiness/liveness signals out of the box. 🙏 Huge thanks to our new contributor vmignot for adding the deployment annotations feature! Read the full changelog and download the release: 🔗 github.com/dunglas/mercure/r… #Mercure #GoLang #Kubernetes #ServerSentEvents #OpenSource

We've just finalized our next-gen AI-powered security audit tool at @coopTilleuls! We used it to discover and patch a critical vulnerability in @MercureRealTime as well as in several of our clients' projects. The Mercure fix also made topic matching 38% faster! ⚡️ 1. Update Mercure and FrankenPHP immediately. (Using Mercure.rocks Cloud? You're already updated and protected! ☁️✅) 2. Want us to secure your stack? Contact us for a full security audit! ✉️ contact@les-tilleuls.coop #CyberSecurity #AI #Mercure #FrankenPHP #OpenSource

🔥 @MercureRealTime v0.21.10 is here! 🚀 Built with @golang 1.26 (10–40% reduction in GC overhead) 🛠 Includes @caddyserver 2.11 Faster, leaner, and ready for production. Upgrade now! 🥳 github.com/dunglas/mercure/r…

🎄 Merry Christmas #PHP developers! 🎁 FrankenPHP 1.11 is out now! 🔥 Native Hot Reload (HMR) 🪵 Structured Logging 🚀 Improved Performance 🧸 PLUS: "Le Monstre" plushies are available for @ApiPlatform Con attendees! (Everyone else: Early 2026!) Unwrap it here (blog post, including Hot Reload with WordPress video): dunglas.dev/2025/12/merry-ch…

🧟‍♀️ After days and nights of toil: FrankenPHP 1.10 is alive! 🧟‍♂️ The creature is awake and brings unprecedented power to your #PHP applications: 🐘 PHP 8.5 support 🪽 New mercure_publish() function for easy real-time broadcasting with @MercureRealTime ⚙️ Enhanced extensions & custom workers (hello high-performance gRPC and WebSockets servers!) Downloads and changelog, right from our laboratory: github.com/php/frankenphp/re…

Au #ForumPHP 2025, notre coopérateur Albin a tenté de transformer 300 téléphones en pixels pour dessiner le logo #PHP dans la salle. Une expérience participative et interactive à base de PHP, Mercure, #FrankenPHP et @clever_cloud que l'on vous invite à découvrir sous ce post ⬇️

No more CORS headaches! 🤯 @MercureRealTime now supports 🌟 wildcards 🌟 for CORS and allowed publication domains! The highly requested feature is finally here. Go check out the details and update your setup! 👇 github.com/dunglas/mercure/p…

I just merged some improvements to FrankenPHP's documentation: 🪽 New @MercureRealTime tutorial: frankenphp.dev/docs/mercure/ ⛽️ New @MercureRealTime with #Laravel Octane tutorial: frankenphp.dev/docs/laravel/… 🔧 Improved config reference: frankenphp.dev/docs/config/ 🔓 Guide to disable HTTPS: frankenphp.dev/docs/config/#…

New versions of @MercureRealTime and Vulcain compiled with @golang 1.25 and @caddyserver 2.10.2 are now available!

🪽 @MercureRealTime 0.20 has just been tagged. This new version introduces an automatic protection against thundering herd problems github.com/dunglas/mercure/r…

If FrankenPHP reaches 10k stars on GitHub, we’ll start making a FrankenPHP elephpant 👀

@MercureRealTime is the best SSE tool

I've just released a new version of @MercureRealtime that fixes a few hangs and memory leaks. Update now! github.com/dunglas/mercure/r…

With Mercure support inside 😍