Edition №86

Laravel Lang Supply Chain Advisory

Snyk's security advisory detailing a supply chain vulnerability discovered in the Laravel Lang package ecosystem, explaining the attack vector and providing guidance for Laravel developers to protect their applications.

50,000 Spam Emails and a 3 AM Panic: What Happened When I Forgot About a Side Project

A cautionary tale of how an outdated Livewire vulnerability in a forgotten side project led to 50,000 spam emails being sent, and how Docker containerisation limited the damage. Daniel shares the full story of discovering the breach, the panicked overnight investigation, and the lessons learnt about security and updating dependencies.

Introducing Moat: A Security Review for Your GitHub Account

Laravel has released Moat, a package that audits GitHub security settings across users, organisations, and repositories. With a single command, developers can review their security posture and receive actionable suggestions to improve protections like 2FA, branch protection, and workflow permissions.

Security Tip: Secure Your Repositories with Laravel Moat

A practical guide to securing your Laravel repositories using Laravel Moat, a new tool from Nuno Maduro that reviews GitHub security posture and provides actionable recommendations for hardening your repositories against supply chain attacks.

Making Pest parallel and time-based sharding work in Bitbucket Pipelines

A practical guide to implementing Pest 4.6's time-based sharding feature in Bitbucket Pipelines. Covers the setup process, common pitfalls specific to Bitbucket's environment, and workarounds for reducing CI test suite runtime from 24 minutes using parallel execution.

An Update on Composer & Packagist Supply Chain Security

Packagist outlines their comprehensive supply chain security roadmap following recent attacks, including integrated malware detection with Aikido, immutable stable versions launching this week, and plans for mandatory MFA and SLSA build provenance.

Setting up Satis on Laravel Forge

A practical guide to setting up Satis, a static site generator for private Composer packages, on Laravel Forge. Covers site creation, deployment configuration, and authentication handling to avoid monthly Private Packagist costs.

Laravel Paper: A Flat-File Eloquent Driver (No Database)

The final boss. Generics in PHP

Brent goes through the latest Generics RFC that has been submitted. Let's see what he thinks and will we actually get it coming to a PHP near you.

Introducing CTOR: Prefer Constructor over Always-Called Setters

Tomas Votruba introduces CTOR, a PHPStan extension that detects setter methods always called after object instantiation and suggests moving them into the constructor instead. The tool helps Laravel developers prevent half-valid objects by enforcing proper dependency injection through constructors rather than relying on mandatory setter chains.