Payload Support
· One min read
Skpr Events infrastructure
· One min read
Overview
We've implemented a new events system for the Skpr cluster.
Features:
- Fully supported through the CLI and Skpr UI.
- Events per project environment.
- Add
@logStream = 'events'to your CloudWatch Logs Insights query for auditing your events. - Event subscription system so you can do things like get a Slack notification when a shell session is started on production, or trigger a github action on a restore completion.
- Some example events:
- Config has been set: my.config
- Restore has completed: prod-123
- Shell session has been created
Skpr UI metrics
· One min read
Overview
- Improved resolution of metrics through the Skpr UI from 5 minutes to 1 minute aggregation.
- Bugfix: Fixed a issue where CDN invalidation metrics weren't displaying.
WAF logging
· One min read
Overview
- Add
@logStream = "waf"to your CloudWatch Logs Insights query to view log events where the WAF blocked a request. - Logs are counted and rolled up by IP address.
- Provider information is also included in the log for enhanced debugging.
MySQL certificate verification changes due to Alpine 3.21
· 2 min read
Overview
Alpine 3.21 and above have changed the default mysql client to the mariadb client. As part of this change, the client now verifies the connection certificates by default.
When deploying to a preview environment or on a local development environment (depending on your configuration) mysql server is signed with a self-signed certificate causing the connection to fail. This change does not affect Skpr cluster environments.
Solution
The solution is to disable the certificate verification using the MYSQL_ATTR_SSL_VERIFY_SERVER_CERT PDO setting
for development (local and preview) environments. This alone will fix the web server connection issues, but
does not fix the Drush CLI connection unless you're using version 13.7.0 and above.
if ($cert_path = $skpr->get('mysql.default.ca.crt')) {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_CA] = $cert_path;
}
else {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = FALSE;
}
We have worked with Drush to include a change that will disable the peer verification for the CLI when the above is set and this change was released in Drush 13.7.0. You will need to upgrade to Drush 13.7.0 to fix the issue for the CLI.
If for some reason you can't upgrade to Drush 13.7.0, please contact a Skpr platform team member as there are workarounds
for connecting, but they are not as seemless as Drush sql:cli or similar.
Testing
You can test your changes by switching to the latest image tag for your PHP containers (fpm and cli). These are
located in .skpr/package/cli/Dockerfile and .skpr/package/fpm/Dockerfile.
Once the container is deployed you can confirm Apline version with cat /etc/issue (3.21).
You can use drush version to check Drush version (13.7.0)
Finally a drush sql:cli command should work without certificate errors on a preview environment.
Timeline
We will roll the alpine upgrade out to stable images on Monday, 16th February 2026.
Links
PHP 8.5
· One min read
Overview
We have introduced initial support for PHP 8.5 in our latest PHP image channel, enabling development teams to test their applications with the newest version of PHP.
Below is a list of all the container images with PHP 8.5 support.
Dockerhub tags:
docker.io/skpr/php:8.5-v2-latest
docker.io/skpr/php-fpm:8.5-v2-latest
docker.io/skpr/php-fpm:8.5-dev-v2-latest
docker.io/skpr/php-cli:8.5-v2-latest
docker.io/skpr/php-cli:8.5-dev-v2-latest
docker.io/skpr/php-circleci:8.5-v2-latest
docker.io/skpr/php-circleci:8.5-node20-v2-latest
docker.io/skpr/php-circleci:8.5-node22-v2-latest
GitHub Container Registry tags:
ghcr.io/skpr/php:8.5-v2-latest
ghcr.io/skpr/php-fpm:8.5-v2-latest
ghcr.io/skpr/php-fpm:8.5-dev-v2-latest
ghcr.io/skpr/php-cli:8.5-v2-latest
ghcr.io/skpr/php-cli:8.5-dev-v2-latest
ghcr.io/skpr/php-circleci:8.5-v2-latest
ghcr.io/skpr/php-circleci:8.5-node20-v2-latest
ghcr.io/skpr/php-circleci:8.5-node22-v2-latest
Link
PGP Key Update
· One min read
Overview
The PGP key for the Skpr APT repository has been rotated.
Ubuntu users who rely on this repository must update their local PGP key to continue receiving package updates.
Updating the repository key
Run the following commands to download and install the latest PGP key, then verify the update by upgrading your Skpr CLI:
# Update the key
wget -q https://packages.skpr.io/apt/packages.skpr.io.pub -O- | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/packages.skpr.io.pub > /dev/null
# Upgrade the CLI
sudo apt update
sudo apt upgrade skpr
These commands are also documented in the official installation guide:
CLI v1.0.0
· One min read
Overview
We’re excited to announce the v1.0.0 release of the Skpr CLI, a major milestone in the project’s journey.
Representing the culmination of years of work, this version lays the groundwork for continued improvement and collaboration in our public GitHub repository.
Highlights
- New CLI Framework: Built on Cobra for a more consistent and intuitive command experience.
- Improved Styling: A refreshed, colourful help screen now welcomes you with clear examples and neatly grouped commands for easier navigation.
- Open Source: Fully available and maintained on GitHub.
- API Integration: Connected with our new open-source API definition — skpr/api.
Upgrading
Skpr CLI v1.0.0 is available through all existing upgrade paths. Follow the installation or upgrade instructions here:
Node v3 Base Images
· 2 min read
Overview
In our last two changelogs, we announced the automatic blocking of script execution in NPM and Yarn, along with our endorsement of pnpm as the safer, long-term solution for Node package management. pnpm stands out for its built-in tooling that lets developers manage an explicit "allowed list" of dependencies permitted to run post-install scripts.
Introducing Our v3 Images
By default, pnpm respects the ignore-scripts environment variable (NPM_CONFIG_IGNORE_SCRIPTS), which disables all post-install scripts.
This created a conflict:
- We need to enforce ignore-scripts for NPM and Yarn to maintain security.
- But we also want pnpm to execute its curated list of safe post-install scripts.
To resolve this, we have released v3 of our Node base images, which make the following changes:
- Renames
npmtonpm-unsafe - Renames
yarntoyarn-unsafe - Introduces wrapper scripts for both tools:
npm→ wrapsnpm-unsafeand automatically setsNPM_CONFIG_IGNORE_SCRIPTS=trueyarn→ wrapsyarn-unsafeand automatically setsYARN_ENABLE_SCRIPTS=false
- Removes the ignore-scripts environment variables from the Dockerfile, allowing pnpm to execute its managed, "allowed" list of post-install scripts.
The following disclaimer is automatically added to the top of the output when the npm command is run:
============================================================
⚠️ DISCLAIMER: Package lifecycle scripts are disabled ⚠️
============================================================
Environment variable enforced:
NPM_CONFIG_IGNORE_SCRIPTS=true
Scripts will NOT run during npm install.
If you need to bypass this restriction (not recommended),
you must explicitly invoke:
npm-unsafe <command>
⚠️ WARNING: Running with npm-unsafe allows untrusted scripts
to execute and may compromise your system.
------------------------------------------------------------
From the Skpr Platform Team
============================================================
Recommended Upgrade Path
- Adopt pnpm for your development projects as the preferred package manager.
- Upgrade to v3 of the Node base images, which enable pnpm to safely execute its managed list of post-install scripts.
But I Really Want to Use NPM and/or Yarn
If absolutely necessary (though not recommended), development teams can opt out by explicitly using:
npm-unsafeyarn-unsafe
Resources
New Node Package Manager: pnpm
· 2 min read
Overview
In light of the recent Shai-Hulud worm attack, we believe it’s important to offer our customers a more secure alternative to the npm package manager.
Why move away from npm?
By design, npm executes arbitrary scripts across all dependencies—including transitive ones (the dependencies of your dependencies). This creates a risky environment where malicious code can execute unnoticed.
Enter pnpm
First released in 2016, pnpm has matured into a battle-tested package manager trusted by teams of all sizes. It combines speed, efficiency, and strict dependency management, making it especially well-suited for organizations managing multiple projects and large monorepos.
Key benefits of pnpm include:
- Fast – Up to 2x faster than other package managers (see benchmark).
- Efficient – Uses content-addressable storage; all projects share a single source of truth.
- Strict – Enforces dependency boundaries from package.json.
- Deterministic – Ensures reproducible installs with pnpm-lock.yaml.
- Flexible – Doubles as a Node.js version manager via pnpm env use.
- Cross-platform – Runs seamlessly on Windows, Linux, and macOS.
- Battle-tested – In production use since 2016.
(Adapted from the official project README.md)
Why this matters now
For the context of this changelog, the most important feature is script execution control. Unlike npm, pnpm does not automatically run install scripts from dependencies. Instead, it notifies development teams, giving them the choice to explicitly allow or deny execution.
This default safeguard significantly reduces the attack surface for supply-chain exploits like the Shai-Hulud worm.
╭ Warning ─────────────────────────────────────────────────────────────────────╮
│ │
│ Ignored build scripts: @tailwindcss/oxide, esbuild. │
│ Run "pnpm approve-builds" to pick which dependencies should be allowed │
│ to run scripts. │
│ │
╰──────────────────────────────────────────────────────────────────────────────╯
With this in mind, we strongly recommend development teams evaluate pnpm for their development workflows as
a replacement for npm.
Available in all base images
pnpm is avaialble now in all our Node base images.
See here for the full list of images.