Skip to content

chore(deps): upgrade to Laravel 12 and clear all security advisories#1122

Merged
dsebastien merged 2 commits into
mainfrom
chore/laravel-12-security
Jun 17, 2026
Merged

chore(deps): upgrade to Laravel 12 and clear all security advisories#1122
dsebastien merged 2 commits into
mainfrom
chore/laravel-12-security

Conversation

@dsebastien

Copy link
Copy Markdown
Member

Why

composer audit reported 20 advisories across 11 packages (several laravel/framework ones published 2026-06-17). Laravel 11.x is EOL for security and has no patched release for the CRLF-injection advisory, so with roave/security-advisories installed, composer can no longer resolve a non-vulnerable 11.x tree. The fix is to upgrade to Laravel 12.

Dependency changes

  • laravel/framework ^11.9^12.0 (v12.62.0)
  • inertiajs/inertia-laravel ^1.0^2.0
  • cviebrock/eloquent-sluggable ^11.0^12.0
  • nunomaduro/collision pinned v8.4.0^8.6
  • pestphp/pest^3.8, pest-plugin-laravel^3.0
  • Transitive bumps fix the rest: laravel/reverb 1.4→1.10 (critical RCE), symfony/* 7.1/7.2 → 7.4.x, phpunit 11.3→11.5.50, psy/psysh 0.12.23, paragonie/sodium_compat, symfony/polyfill-intl-idn, …

composer audit now reports 0 advisories.

Code changes required by Laravel 12

  • resources/views/app.blade.php — Laravel 12 added a @context Blade directive, which was matching the "@context" keys in the JSON-LD schema.org block and producing an unclosed conditional (broke every page render). Wrapped the static JSON-LD in @verbatim.
  • app/Models/Community.php, app/Models/UserProfile.php — corrected two phpdoc annotations that larastan's stricter L12 stubs flag (BelongsToMany pivot-accessor generic; Model __construct $attributes type).

Validation (local)

  • composer audit — 0 advisories
  • composer lint (phpstan/larastan) — no errors
  • ✅ Full test suite — 70 passed, 1 skipped (sqlite)
  • php artisan migrate — clean

⚠️ Reviewer note — Inertia client

The server adapter went to inertia-laravel 2.x while the npm @inertiajs/react client stays on 1.2.0. Inertia v2 server is backward-compatible with the v1 client for standard navigation (the app uses no v2-only features), and back-end tests pass — but this is the one thing the test suite can't exercise. Please smoke-test the running SPA before deploying to production. A follow-up to bump the React client to v2 is recommended.

Laravel 11.x is EOL for security and had no patched release for the
CRLF-injection advisory, so composer (with roave/security-advisories)
could no longer resolve a non-vulnerable 11.x tree. Upgrade to Laravel 12
and bump the ecosystem accordingly:

- laravel/framework ^11.9 -> ^12.0 (v12.62.0)
- inertiajs/inertia-laravel ^1.0 -> ^2.0
- cviebrock/eloquent-sluggable ^11.0 -> ^12.0
- nunomaduro/collision pinned v8.4.0 -> ^8.6
- pestphp/pest ^3.8, pest-plugin-laravel ^3.0
- transitive bumps fix the rest (laravel/reverb 1.10, symfony 7.4.x,
  phpunit 11.5.50, psy/psysh 0.12.23, ...)

composer audit now reports 0 advisories (was 20 across 11 packages).

Code changes required by Laravel 12:
- app/Models: correct two phpdoc annotations larastan's L12 stubs flag
  (BelongsToMany pivot-accessor generic; Model __construct attributes type)
- resources/views/app.blade.php: wrap the JSON-LD block in @verbatim so the
  new @context Blade directive stops matching the schema.org "@context" keys

Validated: composer audit clean, phpstan/larastan OK, full test suite
(70 passed, 1 skipped).
The 'Build front-end assets' step resolves the `ziggy-js` import via a
tsconfig path alias to vendor/tightenco/ziggy, which only exists after
`composer install`. Running the build earlier failed in CI with
'Rollup failed to resolve import ziggy-js'. Move the step to after the
back-end dependency install (still before the back-end tests that need
the manifest).
@dsebastien dsebastien merged commit eacc188 into main Jun 17, 2026
5 checks passed
@dsebastien dsebastien deleted the chore/laravel-12-security branch June 17, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant