[Blog] PHP 8.5.6RC3

resources/ATTRIBUTION.txt

@@ -20,3 +20,8 @@
 * extra-5-confusion.svg
 	Created by hand using https://www.svgviewer.dev/
 	Based on my previous work on missing-3-confusion.svg
+
+* php-8.5.6RC3-confusion.svg
+	Created by hand using https://www.svgviewer.dev/
+	Based on my previous work on missing-3-confusion.svg and
+	extra-5-confusion.svg

sitemap.xml

@@ -87,4 +87,7 @@
  <url>
   <loc>https://scherzer.dev/Blog/20260416-php86-release-manager</loc>
  </url>
+ <url>
+  <loc>https://scherzer.dev/Blog/20260430-php856-rc-3</loc>
+ </url>
 </urlset>

src/Blog/posts/20260430-php856-rc-3.md

@@ -0,0 +1,76 @@
+---
+title: The Story of PHP 8.5.6 Release Candidate 3
+extra-classes:
+  - blog-page--sidebar-image
+---
+
+# The Story of PHP 8.5.6 Release Candidate 3
+
+I have previously had to skip a non-stable release
+([PHP 8.5.0 alpha3][blog-alpha3]), and to create an extra unplanned release
+candidate ([PHP 8.5.0 RC5][blog-rc5]). For PHP 8.5.6 release candidate 3, I had
+to do both: release candidate 2 was unplanned, and then an error led to skipping
+it, resulting in release candidate 3 that I just announced. Here is what
+happened.
+
+![PHP 8.5.6RC3 confusion](/resources/php-8.5.6RC3-confusion.svg)
+
+## Uriparser vulnerability
+
+When PHP 8.5.6 RC1 was tagged and [announced][rc1-announce], it was expected to
+be the only release candidate. However, earlier this week a vulnerability
+([CVE-2026-42371]) in the [uriparser library][uri-lib] was
+[disclosed][uri-disclosure]. That library is bundled with PHP 8.5.
+
+On Monday, a pull request, [#21890][gh-21890], was opened for PHP to update the
+bundled library to the latest version, where the vulnerability was fixed. Since
+the vulnerability was in an upstream dependency and had already been announced
+publicly, this security fix was performed in public on GitHub, rather than in
+private [as described in PHP's security policy][php-sec-policy].
+
+I merged that change, and cherry-picked it to the PHP-8.5.6 branch. So far,
+everything was relatively familiar - I had done something similar for the extra
+release candidate for PHP 8.5.0. Seeing no regression reports or other fixes
+that needed to be included in PHP 8.5.6, on Tuesday I proceeded to tag and
+build a second release candidate. Everything was going as expected; RC2 was
+unplanned, but I've had to deal with unexpected release candidates before.
+
+## ext/dom compilation
+
+On Wednesday, before I had announced the second release candidate, a bug report
+was filed on GitHub ([#21911][gh-21911]). On Windows only, when trying to build
+the dom extension in shared mode (`--with-dom=shared`), compilation would fail.
+The cause was a problematic upmerge from PHP-8.4 to PHP-8.5 when updating to a
+newer version of the [lexbor library][lexbor-lib]. As a result of some internal
+reorganization between PHP 8.4 and 8.5, the lexbor upgrade placed some
+dependency files in incorrect locations in PHP 8.5.
+
+Normally, when bugs are resolved the fixes go out in the next bugfix release
+that is not already in progress, meaning PHP 8.5.7 in this case. However, this
+was a bug that was introduced *after* PHP 8.5.5 was released - in other words,
+it would have been a regression between PHP 8.5.5 and 8.5.6. In those cases,
+if fixes are available in time they are included immediately. This is the whole
+reason we use release candidates: to catch regressions before they reach a
+stable release.
+
+Since I had already tagged and built PHP 8.5.6RC2, this meant that a third
+release candidate was needed. I cherry-picked the fix and tagged and built a
+new release candidate, PHP 8.5.6RC3.
+
+## Looking ahead
+
+For most patch releases (i.e. PHP 8.5.X) only a single release candidate is
+needed. Building three candidates is rare, but it happens (e.g. PHP 8.3.1RC3).
+Hopefully, no new issues are found and PHP 8.5.6 can be released as scheduled
+next week.
+
+[blog-alpha3]: ./20250801-no-alpha-3
+[blog-rc5]: ./20251113-release-candidate-5
+[gh-21890]: https://github.com/php/php-src/pull/21890
+[gh-21911]: https://github.com/php/php-src/issues/21911
+[lexbor-lib]: https://lexbor.com/
+[rc1-announce]: https://news-web.php.net/php.internals/130688
+[CVE-2026-42371]: https://nvd.nist.gov/vuln/detail/CVE-2026-42371
+[php-sec-policy]: https://github.com/php/policies/blob/67fbca9739e3de9823c297cdb9a938e3b532be93/security-classification.rst#handling-issues
+[uri-disclosure]: https://www.openwall.com/lists/oss-security/2026/04/27/2
+[uri-lib]: https://uriparser.github.io/

tests/data/Home.html

@@ -4,6 +4,9 @@
 Computer Science and Political Science and graduating <em>magna cum laude</em> in 2024 with a Bachelor of Science degree. As part of my work in Computer
 Science, I chose to write an honors thesis in my senior year, see <a href="./Thesis">here</a> for details. I continued at Tufts for graduate school, graduating in 2025 with
 a Master of Science in Computer Science degree.</p><p>See the links in the navigation bar above for more information about my
-experience.</p><h2 class="subsection-header">Contact</h2><ul><li><a href="https://www.linkedin.com/in/daniel-scherzer-520539263/" target="_blank" class="external-link">LinkedIn</a></li><li>Email: <code>daniel.e.scherzer@gmail.com</code></li></ul><h2 class="subsection-header">Blog</h2><p>I also have a blog. You can see a full index of my posts <a href="/Blog">here</a>. My latest blog post is: </p><div class="blog-preview"><h3>PHP 8.6 Release Manager</h3><span class="blog-preview-date">Thursday, 16 April 2026</span><p>I'm excited to announce that I will be serving as the &quot;veteran&quot; release manager
-for the PHP 8.6 release cycle. In that role I will be mentoring two new
-&quot;rookie&quot; release managers to ensure a smooth and successful release process. <a href="/Blog/20260416-php86-release-manager">Continue reading...</a></p></div></div><div class="des-footer"><div class="des-footer--content">Content is © 2026 Daniel Scherzer</div></div></body></html>
+experience.</p><h2 class="subsection-header">Contact</h2><ul><li><a href="https://www.linkedin.com/in/daniel-scherzer-520539263/" target="_blank" class="external-link">LinkedIn</a></li><li>Email: <code>daniel.e.scherzer@gmail.com</code></li></ul><h2 class="subsection-header">Blog</h2><p>I also have a blog. You can see a full index of my posts <a href="/Blog">here</a>. My latest blog post is: </p><div class="blog-preview"><h3>The Story of PHP 8.5.6 Release Candidate 3</h3><span class="blog-preview-date">Thursday, 30 April 2026</span><p>I have previously had to skip a non-stable release
+(<a href="./Blog/20250801-no-alpha-3">PHP 8.5.0 alpha3</a>), and to create an extra unplanned release
+candidate (<a href="./Blog/20251113-release-candidate-5">PHP 8.5.0 RC5</a>). For PHP 8.5.6 release candidate 3, I had
+to do both: release candidate 2 was unplanned, and then an error led to skipping
+it, resulting in release candidate 3 that I just announced. Here is what
+happened. <a href="/Blog/20260430-php856-rc-3">Continue reading...</a></p></div></div><div class="des-footer"><div class="des-footer--content">Content is © 2026 Daniel Scherzer</div></div></body></html>

tests/data/blog-index.html

@@ -1,5 +1,10 @@
 <!DOCTYPE html>
-<html lang="en"><head><link rel="icon" href="data:,"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="stylesheet" type="text/css" href="/resources/default-styles.css"><title>Blog index</title><link rel="stylesheet" type="text/css" href="/resources/blog-styles.css"></head><body><div class="des-navbar"><a href="/Home">Home</a><a href="/files/Resume.pdf">Résumé</a><a href="/OpenSource">Open Source</a><a href="/Work">Work</a><strong class="des-strong-page-link">Blog</strong></div><div class="content-wrapper"><h1>Blog index</h1><div class="blog-preview"><h2>PHP 8.6 Release Manager</h2><span class="blog-preview-date">Thursday, 16 April 2026</span><p>I'm excited to announce that I will be serving as the &quot;veteran&quot; release manager
+<html lang="en"><head><link rel="icon" href="data:,"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="stylesheet" type="text/css" href="/resources/default-styles.css"><title>Blog index</title><link rel="stylesheet" type="text/css" href="/resources/blog-styles.css"></head><body><div class="des-navbar"><a href="/Home">Home</a><a href="/files/Resume.pdf">Résumé</a><a href="/OpenSource">Open Source</a><a href="/Work">Work</a><strong class="des-strong-page-link">Blog</strong></div><div class="content-wrapper"><h1>Blog index</h1><div class="blog-preview"><h2>The Story of PHP 8.5.6 Release Candidate 3</h2><span class="blog-preview-date">Thursday, 30 April 2026</span><p>I have previously had to skip a non-stable release
+(<a href="./Blog/20250801-no-alpha-3">PHP 8.5.0 alpha3</a>), and to create an extra unplanned release
+candidate (<a href="./Blog/20251113-release-candidate-5">PHP 8.5.0 RC5</a>). For PHP 8.5.6 release candidate 3, I had
+to do both: release candidate 2 was unplanned, and then an error led to skipping
+it, resulting in release candidate 3 that I just announced. Here is what
+happened. <a href="/Blog/20260430-php856-rc-3">Continue reading...</a></p></div><div class="blog-preview"><h2>PHP 8.6 Release Manager</h2><span class="blog-preview-date">Thursday, 16 April 2026</span><p>I'm excited to announce that I will be serving as the &quot;veteran&quot; release manager
 for the PHP 8.6 release cycle. In that role I will be mentoring two new
 &quot;rookie&quot; release managers to ensure a smooth and successful release process. <a href="/Blog/20260416-php86-release-manager">Continue reading...</a></p></div><div class="blog-preview"><h2>Introducing define_deprecated() for PHP</h2><span class="blog-preview-date">Friday, 10 April 2026</span><p>In PHP 8.5, I introduced support for <a href="./Blog/20250429-attributes-on-constants">attributes on constants</a>,
 which allows marking compile-time global constants as deprecated. However,