@logStream = "waf" to your CloudWatch Logs Insights query to view log events where the WAF blocked a request.Alpine 3.21 and above have changed the default mysql client to the mariadb client. As part of this change, the client now verifies the connection certificates by default.
When deploying to a preview environment or on a local development environment (depending on your configuration) mysql server is signed with a self-signed certificate causing the connection to fail. This change does not affect Skpr cluster environments.
The solution is to disable the certificate verification using the MYSQL_ATTR_SSL_VERIFY_SERVER_CERT PDO setting
for development (local and preview) environments. This alone will fix the web server connection issues, but
does not fix the Drush CLI connection unless you're using version 13.7.2 and above.
if ($cert_path = $skpr->get('mysql.default.ca.crt')) {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_CA] = $cert_path;
}
else {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = FALSE;
}
We have worked with Drush to include a change that will disable the peer verification for the CLI when the above is set and this change was released in Drush 13.7.2. You will need to upgrade to Drush 13.7.2 to fix the issue for the CLI.
If for some reason you can't upgrade to Drush 13.7.2, please contact a Skpr Platform Team member as there are workarounds
for connecting, but they are not as seamless as Drush sql:cli or similar.
You can test your changes by switching to the latest image tag for your PHP containers (fpm and cli). These are
located in .skpr/package/cli/Dockerfile and .skpr/package/fpm/Dockerfile.
Once the container is deployed you can confirm Alpine version with cat /etc/issue (3.21).
You can use drush version to check Drush version (13.7.2)
Finally a drush sql:cli command should work without certificate errors on a preview environment.
We will roll the alpine upgrade out to stable images on Monday, 30th March 2026.
The PGP key for the Skpr APT repository has been rotated.
Ubuntu users who rely on this repository must update their local PGP key to continue receiving package updates.
Run the following commands to download and install the latest PGP key, then verify the update by upgrading your Skpr CLI:
# Update the key
wget -q https://packages.skpr.io/apt/packages.skpr.io.pub -O- | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/packages.skpr.io.pub > /dev/null
# Upgrade the CLI
sudo apt update
sudo apt upgrade skpr
These commands are also documented in the official installation guide:
In light of the recent Shai-Hulud worm attack, we believe it’s important to offer our customers a more secure alternative to the npm package manager.
By design, npm executes arbitrary scripts across all dependencies—including transitive ones (the dependencies of your dependencies). This creates a risky environment where malicious code can execute unnoticed.
First released in 2016, pnpm has matured into a battle-tested package manager trusted by teams of all sizes. It combines speed, efficiency, and strict dependency management, making it especially well-suited for organisations managing multiple projects and large monorepos.
Key benefits of pnpm include:
(Adapted from the official project README.md)
For the context of this changelog, the most important feature is script execution control. Unlike npm, pnpm does not automatically run install scripts from dependencies. Instead, it notifies development teams, giving them the choice to explicitly allow or deny execution.
This default safeguard significantly reduces the attack surface for supply-chain exploits like the Shai-Hulud worm.
╭ Warning ─────────────────────────────────────────────────────────────────────╮
│ │
│ Ignored build scripts: @tailwindcss/oxide, esbuild. │
│ Run "pnpm approve-builds" to pick which dependencies should be allowed │
│ to run scripts. │
│ │
╰──────────────────────────────────────────────────────────────────────────────╯
With this in mind, we strongly recommend development teams evaluate pnpm for their development workflows as
a replacement for npm.
pnpm is now available in all our Node base images.
See here for the full list of images.
We have disabled NPM scripts in our Skpr container base images as a security measure in response to the Shai-Hulud worm attack.
For more information on the attack see this blog post from Socket.
We have added the following environment variables to our Node images.
YARN_ENABLE_SCRIPTS=falseNPM_CONFIG_IGNORE_SCRIPTS=trueTo ensure local development environments are not compromised, we also recommend teams add the following to their .npmrc file:
ignore-scripts=true
You can identify which scripts are now blocked with:
npm query ":attr(scripts, [postinstall])" | jq 'map(.name)'
Example output:
[
"esbuild" 👈️ Flagging a dependency that has a postinstall script
]
To see what a blocked script would have executed:
npm view esbuild scripts.postinstall
Example output:
node install.js
You can then manually run the script by pointing to the full path:
node ./node_modules/esbuild/install.js
Include these manual execution steps in your build process where required.
We encourage teams to evaluate alternative Node package managers that have built-in ignore-scripts workflows. For example, pnpm blocks scripts by default and provides a subcommand for approving projects when needed.