Version 7.5.0

.trivyignore

@@ -1,9 +1,13 @@
 # True positive but we expect Lychee to be run behind a reverse proxy that is taking care of the cryptography and TLS configuration.
 # Waiting of frankenphp to update the golang dependencies
 CVE-2026-25793
+
 # This CVE is stupid and disputed.
 # The "vulnerability" is that php-jwt accepts short HMAC keys without validation.
 # This is not a library bug — key management is the caller's responsibility.
 # PHP's own hash_hmac() and openssl_sign() behave identically and have no CVEs for this.
 # NVD agrees — hence the Disputed tag and no score from NIST.
-CVE-2025-45769
+CVE-2025-45769
+
+# True positive but local attack vector, we will be waiting for frankenphp to update their image.
+CVE-2026-0861

Dockerfile

@@ -56,7 +56,7 @@
 # ============================================================================
 # Stage 3: Production FrankenPHP Image
 # ============================================================================
-FROM dunglas/frankenphp:php8.5-trixie@sha256:d3c991a312bcb343e1385be577f3ea75f509feaaf176f721313f7dd48cee0fdd
+FROM dunglas/frankenphp:php8.5-trixie@sha256:7315062106fd2ee885d884072e3335f59e25a3abc34de0a03e102604ab73b4d0
 
 ARG USER=appuser
 
@@ -118,7 +118,7 @@
 COPY --from=node --chown=www-data:www-data /app/public/embed ./public/embed
 
 # Ensure storage and bootstrap/cache are writable with minimal permissions
 RUN mkdir -p storage/framework/cache \
     storage/framework/sessions \
     storage/framework/views \
     storage/logs \

database/migrations/2026_03_16_164002_bump_version070500.php

@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\Console\Output\ConsoleOutput;
+use Symfony\Component\Console\Output\ConsoleSectionOutput;
+
+return new class() extends Migration {
+	private ConsoleOutput $output;
+	private ConsoleSectionOutput $msg_section;
+
+	public function __construct()
+	{
+		$this->output = new ConsoleOutput();
+		$this->msg_section = $this->output->section();
+	}
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070500']);
+		try {
+			Artisan::call('cache:clear');
+		} catch (\Throwable $e) {
+			$this->msg_section->writeln('<error>Warning:</error> Failed to clear cache for version 7.5.0');
+
+			return;
+		}
+		$this->msg_section->writeln('<info>Info:</info> Cleared cache for version 7.5.0');
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070402']);
+	}
+};

version.md

@@ -1 +1 @@
-7.4.2
+7.5.0