Laravel 11.7, weekly updates, and 🔥 tip
Laravel 11.7
Several new features this week brings us to Laravel 11.7. Here are the highlights.
- Introduce
Rule::array()in #51250 - Allow passing Stringable to
blankandfilledhelpers in #51300 - Add
whereJsonOverlaps()to Query Builder for MySQL in #51288 - Add
InteractsWithInputmethods toValidatedInputin #51316 - Add
PasswordResetLinkSentevent in #51253
You may review the full branch diff on GitHub for a complete list of changes.
This version bump and update is automated for subscribers to a Shifty Plan. If you don't have one of those, be sure to bump your constraint and run composer update to get the latest features.
Weekly Journal
Last week I did a quick live stream to create the Laravel Slimmer. I finished this up Thursday and launched Friday. It's currently offered at a discount as I continue to make tweaks for all the various upgrade paths.
This Shift is for those that simply bumped their dependencies or otherwise still have old core files in their application. Note, the Laravel 11.x Shift slims your application. So you would not need to run the Laravel Slimmer, unless you had a lot of core files remaining that you later wanted to remove.
Friday and over the weekend I patched a bug in the Laravel 11.x Shift (more on that in a second) and made some tweaks to the Laravel Slimmer.
This week I plan to update the laravel-shift/factory-generator package - which powers the Tests Generator. Then, maybe, hopefully, finally, switch back to the side-project.
🔥 Tip
Last week a bug relating to the registration of the TrustHosts middleware was reported by a user. They had been working with Laravel security expert Stephen Rees-Carter and found a potential vulnerability.
As far as the vulnerability, my rough understanding is that the TrustProxies and TrustHosts middleware need to both be enabled and configured when your application is behind a proxy (load balancer, CDN, etc). If both are not enabled with hosts properly restricted, your app may be open to host header poisoning.
As far as the bug, there was an application structure where the Laravel 11.x Shift may not have registered the TrustHosts middleware in the new middleware configuration. This middleware is disabled by default. So this bug was only when this middleware was enabled and the file unchanged.
While I feel this app structure was limited, if you've run the Laravel 11.x Shift and your application is behind a proxy, please double check the TrustHosts middleware is enabled in your bootstrap/app.php. You should see a call to $middleware->trustHosts(). Remember, simply enabling it does not prevent the vulnerability. Take this opportunity to double check your trusted hosts configuration is locked down as well.