chore(deps): upgrade to Laravel 12 and clear all security advisories#1122
Merged
Conversation
Laravel 11.x is EOL for security and had no patched release for the CRLF-injection advisory, so composer (with roave/security-advisories) could no longer resolve a non-vulnerable 11.x tree. Upgrade to Laravel 12 and bump the ecosystem accordingly: - laravel/framework ^11.9 -> ^12.0 (v12.62.0) - inertiajs/inertia-laravel ^1.0 -> ^2.0 - cviebrock/eloquent-sluggable ^11.0 -> ^12.0 - nunomaduro/collision pinned v8.4.0 -> ^8.6 - pestphp/pest ^3.8, pest-plugin-laravel ^3.0 - transitive bumps fix the rest (laravel/reverb 1.10, symfony 7.4.x, phpunit 11.5.50, psy/psysh 0.12.23, ...) composer audit now reports 0 advisories (was 20 across 11 packages). Code changes required by Laravel 12: - app/Models: correct two phpdoc annotations larastan's L12 stubs flag (BelongsToMany pivot-accessor generic; Model __construct attributes type) - resources/views/app.blade.php: wrap the JSON-LD block in @verbatim so the new @context Blade directive stops matching the schema.org "@context" keys Validated: composer audit clean, phpstan/larastan OK, full test suite (70 passed, 1 skipped).
The 'Build front-end assets' step resolves the `ziggy-js` import via a tsconfig path alias to vendor/tightenco/ziggy, which only exists after `composer install`. Running the build earlier failed in CI with 'Rollup failed to resolve import ziggy-js'. Move the step to after the back-end dependency install (still before the back-end tests that need the manifest).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
composer auditreported 20 advisories across 11 packages (severallaravel/frameworkones published 2026-06-17). Laravel 11.x is EOL for security and has no patched release for the CRLF-injection advisory, so withroave/security-advisoriesinstalled, composer can no longer resolve a non-vulnerable 11.x tree. The fix is to upgrade to Laravel 12.Dependency changes
laravel/framework^11.9→^12.0(v12.62.0)inertiajs/inertia-laravel^1.0→^2.0cviebrock/eloquent-sluggable^11.0→^12.0nunomaduro/collisionpinnedv8.4.0→^8.6pestphp/pest→^3.8,pest-plugin-laravel→^3.0laravel/reverb1.4→1.10 (critical RCE),symfony/*7.1/7.2 → 7.4.x,phpunit11.3→11.5.50,psy/psysh0.12.23,paragonie/sodium_compat,symfony/polyfill-intl-idn, …composer auditnow reports 0 advisories.Code changes required by Laravel 12
resources/views/app.blade.php— Laravel 12 added a@contextBlade directive, which was matching the"@context"keys in the JSON-LD schema.org block and producing an unclosed conditional (broke every page render). Wrapped the static JSON-LD in@verbatim.app/Models/Community.php,app/Models/UserProfile.php— corrected two phpdoc annotations that larastan's stricter L12 stubs flag (BelongsToMany pivot-accessor generic; Model__construct$attributestype).Validation (local)
composer audit— 0 advisoriescomposer lint(phpstan/larastan) — no errorsphp artisan migrate— cleanThe server adapter went to inertia-laravel 2.x while the npm
@inertiajs/reactclient stays on 1.2.0. Inertia v2 server is backward-compatible with the v1 client for standard navigation (the app uses no v2-only features), and back-end tests pass — but this is the one thing the test suite can't exercise. Please smoke-test the running SPA before deploying to production. A follow-up to bump the React client to v2 is recommended.