deps(deps): update ansible/ansible-lint action to v25

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ansible/ansible-lint	action	major	v24.12.2 -> v25.1.0

---

Release Notes

ansible/ansible-lint (ansible/ansible-lint)

v25.1.0

Compare Source

Enhancements

• Update requires_ansible default require >=2.16 (#​4479) @​samccann
• Bump the dependencies group in /.config with 6 updates (#​4482) @​dependabot[bot]
• Add write_exclude_list config option (#​4256) @​frq-asgard-josi

Bugfixes

• Remove dependency hack that prevents installation on Windows (#​4487) @​ssbarnea
• Allow ansible-lint action to be used from composite workflows (#​4481) @​drew-viles
• Fix WARN on empty/template meta/main.yaml (#​4379) @​GElkayam
• Move octal example code next to octals definition (#​4475) @​branic
• Refactor use of app instance (#​4478) @​ssbarnea
• Fix constraints with uv and update min requirements (#​4485) @​ssbarnea
• Require ansible-core>=2.16 (#​4483) @​ssbarnea
• Add EL 10 as a platform in the metadata schema (#​4464) @​antonc42
• Catch ansible-compat initialization warnings (#​4463) @​ssbarnea
• Avoid ruamel.yaml 0.18.7-0.18.8 due to regression (#​4462) @​ssbarnea

Other

• Bump codecov/codecov-action from 5.1.1 to 5.1.2 (#​4457) @​dependabot[bot]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:dc00bdbe08d7e3cc5066ca3d69104664255f8b6cec0d78b215cacfd450c89f84
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.21 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 c109802edd0ed0eeccdfdd58c646e375847bbccbef7110a2cb4638e74af20c59
digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:034b6e0600a6cf257bdec94095d4c0c526b51192ba1fc9a89f079b3c6a3ec646
vulnerabilities
platform	linux/amd64
size	108 MB
packages	231

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:23e945b943a1f051e6a2aac1ca070f9f12dd04160afe16ae46c76d7820002a78
vulnerabilities
platform	linux/amd64
size	106 MB
packages	232

📦 Base Image php:8.3-fpm-alpine

also known as	8.3-fpm-alpine3.21 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21
digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:0280612a829dc4678e7cffa24e3aaf61c5dfb873f29810ddd5c9111f82265841
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:54b5ff554357a1100058bcce13b21851a693ca1636d4d8dae493079075d47ba0

also known as	8.1-fpm-alpine 8.1-fpm-alpine3.21 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21
digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.27-fpm-alpine3.21
Digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.27-fpm-alpine, 8.2.27-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	3 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:689e62a295ed2ca061b6cea339133ed419624bf4d4197bd78e32672e78f758b2
vulnerabilities
platform	linux/amd64
size	126 MB
packages	249

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:fd8ad9ec98fd3bb1e04509afc8291d9b6ecf968b00d803d51be569b550624efe
vulnerabilities
platform	linux/amd64
size	110 MB
packages	231

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.31-fpm-alpine3.21
Digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	3 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.16-fpm-alpine3.21
Digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
Vulnerabilities
Pushed	4 days ago
Size	33 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.16-fpm-alpine, 8.3.16-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	3 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:7e0784864ff2528fdd4a3aa6aefb480175a6be268992e13f9664543d9e93b9f5
vulnerabilities
platform	linux/amd64
size	109 MB
packages	231

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:10e78335441f0fce9e35d9d94590a2984a45ba4021826fca17df7191eec882df
vulnerabilities
platform	linux/amd64
size	127 MB
packages	249

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	4 days ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:cd2725c699769704da7504d46b15c874f19827b1eaf145886c0885d24e30b8da
vulnerabilities
platform	linux/amd64
size	128 MB
packages	249

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:0550a7365636f3ad137d07f140ada534d774a00a62c4d0e13e6706c390da405c
vulnerabilities
platform	linux/amd64
size	115 MB
packages	231

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:19eb27aa50868d39ceba56d3b1d4509537f7f22e130f3585c0df9f8eb8d9f015
vulnerabilities
platform	linux/amd64
size	109 MB
packages	232

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.21 8.4-fpm-alpine 8.4-fpm-alpine3.21 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 fpm-alpine fpm-alpine3.21
digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:9335a5f18bdbb0084fddc915d02e499bac96cb6704f1df2074b3986d295fac49
vulnerabilities
platform	linux/amd64
size	134 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	3 days ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	4 days ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	3 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.21
Digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
Vulnerabilities
Pushed	3 days ago
Size	36 MB
Packages	53
Flavor	alpine
OS	3.21

The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.3-fpm-alpine, 8.4.3-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	4 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.9 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.1-fpm-alpine Minor runtime version update Also known as: 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21 8.1-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.4 MB Image has same number of vulnerabilities Image contains equal number of packages 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.1.31	1 month ago

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	3 days ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.