packagist dereuromark/cakephp-queue 8.13.0
on PHP Packagist

9 hours ago

⚠️ Breaking Changes

  • Queue.executeAllowedCommands is now required when debug=false for any deployment that runs Queue.Execute jobs (#485). With the key unset or empty in production, every Execute job is rejected before exec() is invoked. Migration — add to config/app.php (or app_local.php): 

    'Queue' => [
    'executeAllowedCommands' => [
        'bin/cake',
        // '/usr/bin/php',
    ],
],

    In dev (debug=true) the allow-list is ignored, so local environments are unaffected. See config/app.example.php and docs/sections/tasks/execute.md.

  • ExecuteTask now escapes the command and each params entry per token via escapeshellarg() instead of escapeshellcmd() (#485). Each value is wrapped as a single shell argument, which closes argument-injection paths but means callers that previously packed multiple tokens into a single entry must split them across the array. Migration: 

    // before
['command' => 'bin/cake importer run', 'params' => ['--limit 10']]

// after
['command' => 'bin/cake', 'params' => ['importer', 'run', '--limit', '10']]

    See docs/sections/upgrading.md for the full note.

Fixes

  • EmailTask::run() now restricts unserialize() to the configured Message subclass via allowed_classes, closing a gadget-chain risk on legacy raw-serialized settings (#484). Modern array-path callers using EmailTask::serialize() are unaffected.
  • Pagination element now uses escapeTitle instead of the broader escape so URL/class/title attributes stay HTML-escaped while the title text can still carry icon markup (#483).

Full Changelog: 8.12.0...8.13.0

Check out latest releases or
releases around dereuromark/cakephp-queue 8.13.0

Don't miss a new cakephp-queue release

NewReleases is sending notifications on new releases.

Get notifications