This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalThe release prevents host shell injection from app.json cron commands.
Why it matters: Severity 90 security fix blocks shell injection via cron commands; critical for all deployments using this surface.
Summary
AI summaryUpdates Tests, Bug Fixes, and Refactors across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Prevents host shell injection from app.json cron commands Prevents host shell injection from app.json cron commands Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Low |
Warns on deprecated listen http2 in custom nginx templates Warns on deprecated listen http2 in custom nginx templates Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Dependency | Low |
Bumps k8s.io/apimachinery from 0.36.0 to 0.36.1 in scheduler-k3s plugin Bumps k8s.io/apimachinery from 0.36.0 to 0.36.1 in scheduler-k3s plugin Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Dependency | Low |
Bumps soupsieve from 2.8.3 to 2.8.4 in docs build environment Bumps soupsieve from 2.8.3 to 2.8.4 in docs build environment Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Recovers deployed image from registry on local miss Recovers deployed image from registry on local miss Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Aligns ps/cron :report --global keys with plugin convention Aligns ps/cron :report --global keys with plugin convention Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Splits openresty report keys into global and computed pairs Splits openresty report keys into global and computed pairs Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Uses SYSTEM for shfmt Darwin detection on macOS Uses SYSTEM for shfmt Darwin detection on macOS Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Refactor | Low |
Splits more report global keys into raw and computed categories Splits more report global keys into raw and computed categories Source: llm_adapter@2026-05-27 Confidence: high |
— |
Full changelog
Install/update via the bootstrap script:
wget -NP . https://dokku.com/install/v0.38.7/bootstrap.sh
sudo DOKKU_TAG=v0.38.7 bash bootstrap.sh
Security
- #8672: @josegonzalez Prevent host shell injection from app.json cron commands
Bug Fixes
- #8669: @josegonzalez Recover deployed image from registry on local miss
- #8679: @josegonzalez Align ps/cron :report --global keys with plugin convention
- #8678: @josegonzalez Split openresty report keys into global and computed pairs
- #8676: @immanuwell Use SYSTEM for shfmt Darwin detection
Refactors
- #8680: @josegonzalez Split more report global keys into raw and computed
New Features
- #8677: @josegonzalez Warn on deprecated listen http2 in custom nginx templates
Tests
- #8683: @dependabot[bot] chore(deps-dev): bump heroku/heroku-buildpack-php from 290 to 291 in /tests/apps/php
- #8671: @josegonzalez Qualify scheduler-k3s ingressroute kubectl lookups
Dependencies
- #8682: @dependabot[bot] chore(deps): bump k8s.io/apimachinery from 0.36.0 to 0.36.1 in /plugins/scheduler-k3s
- #8681: @dependabot[bot] chore(deps): bump soupsieve from 2.8.3 to 2.8.4 in /docs/_build
Security Fixes
- #8672: Prevent host shell injection from app.json cron commands
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About dokku
A docker-powered PaaS that helps you build and manage the lifecycle of applications
Related context
Beta — feedback welcome: [email protected]