Latest 4.2.2 build won't block with this simple rule :
####
SecRule REQUEST_URI "/any-folder/.+/filename.\php" "id:20202020,rev:1,severity:2,msg:'must be denied',deny" \
####
Performing /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.1 and then the rule above did block filename.php as it should...