During Laracon NYC 2014, Taylor Otwell, the creator of Laravel, announced both Laravel Homestead and Laravel Forge, instantly simplifying the entire process of building Laravel applications - from first download to final deployment.
Claudio Dekker
Log4j is a Java library by Apache used to log debug messages within applications. It's recently been featured in news outlets around the world due to a vulnerability (known as Log4Shell) that was discovered allowing remote code execution using a specific string.
James Brooks
Today we have released security patches via Laravel 6.20.26 and 8.40.0. These patches resolve a security vulnerability that allowed SQL injection when unfiltered user input was passed directly to the `limit` and `offset` methods of the Laravel query builder and the user was also using Microsoft SQL Server as their database. Other database drivers such as MySQL and Postgres do not appear to be affected by this problem at this time. All Laravel users are encouraged to update immediately, or, if you are unable to update to these versions, ensure that you are only passing integers to the `limit` and `offset` methods. This security vulnerability has been published as a GitHub security advisory: https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j
Taylor Otwell
With the newly released v4.2 update of the Laravel installer comes an exciting new feature: Git Support! It's now possible to initialise a Git repository with the base skeleton already committed when setting up a new project. Simply make use of the `--git` flag to set up a new repository: ```bash laravel new example-app --git ``` This command will initialize a new Git repository for your project and automatically commit the base Laravel skeleton. This way you can immediately get started with writing code and committing to your app's Git repository. Or, instead of using the `--git` flag, you may use the `--github` flag to create a Git repository and also create a corresponding private repository on GitHub: ```bash laravel new example-app --github ``` The created repository will then be available at `https://github.com/
Dries Vints
Earlier this week we released a security update to address a problem with query parameter binding in Laravel. However, the 6.x and 7.x releases were done before the Git sub-tree splits had completed running; therefore, anyone using the **illuminate/database** component apart from the Laravel framework or anyone using **Lumen** did not receive the updates on those versions. Therefore, we have tagged new versions of illuminate/database on the 6.x and 7.x branches. **Anyone using the Laravel framework or using version 8.x of the Illuminate components is not affected by this release.**
Taylor Otwell
This morning we released Laravel 6.20.11, 7.30.2, and 8.22.1. These updates contain a security related patch; therefore, we encourage all Laravel users to update their applications as soon as possible.
Taylor Otwell
We have reverted a pull request that was merged into Laravel Fortify 1.7.3 which introduced a potential security vulnerability. Please update your applications using Fortify 1.7.3, including all Jetstream based applications, to Fortify 1.7.4.
Taylor Otwell
PHP 8 has been officially released! We've been hard at work behind the scenes to provide support for all our libraries so that upgrading to PHP 8 with Laravel is easy.
Dries Vints
Today we released several fixes to address a security vulnerability in the framework that we were notified of during the weekend. Application's using the "cookie" session driver were the primary applications affected by this vulnerability. **Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.** We have also released Passport 9.3.2 to provide compatibility with today's releases. If you are running Passport on Laravel 6.x or 7.x, you should update to today's Passport 9.3.2 release. The Passport release is not a security release; however, the library needed updates to be compatible with today's framework changes. Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the "cookie" driver. Today's fix prefixes cookie values with an HMAC hash of the cookie's name before encryption and then verifies a matching hash on decryption, making it impossible to craft a valid cookie payload even if an encryption oracle is exposed via the application. I would like to personally apologize for the inconvenience of today's security releases since the nature of this fix required us to invalidate existing encrypted cookies issued by Laravel applications. Thank you for your patience and understanding.
Taylor Otwell
Hey everyone! As many of you know, we had to cancel Laracon US 2020 due to the ongoing pandemic and travel restrictions. While unfortunate, it led me to step back and rethink the current Laracon landscape. Typically, I make the year's major feature announcements live on stage at Laracon US. This is an incredibly exciting time, but it bothers me that many people around the world will never get a chance to experience those announcements live. So, this year we are pumped to launch a brand-new, summer edition of [Laracon Online](https://laracon.net). This is where I will be sharing all of the cool features and tools coming in the next release of Laravel with thousands of developers in over one hundred countries around the world. **In fact, I've decided to make this the main venue I make major feature announcements beyond 2020 as well. I want as many developers as possible to be able to stream and chat about the latest Laravel goodies.** Laracon Online 2020 features essentially the same speaker line-up that was announced for Laracon US 2020, including myself and Jeffrey Way. We will also be adding a few more faces to the line-up over the coming weeks! Of course, we will be offering the same forum-based live discussion we have offered in the previous years. I will also be opening a new Laracon channel on the [official Laravel Discord](https://discord.gg/mPZNm7A) server for real-time chatting. It's possible that Laracon US will return for a live, in-person event in 2021. I sure would like to see all of your faces again! But, the event will likely have an emphasis on deep-diving into the nitty-gritty details of the feature announcements made during our online event. Our winter edition of Laracon Online will debut early next year with a new format to differentiate it from the summer event. We aren't quite sure what this will look like at the moment, but have considered making it a "workshop" focused event. I want to give a special shout-out to [Few](https://few.io/), who was able to quickly remix their Laracon US 2020 website design with a fresh global flavor. I think you'll love it! Tickets for Laracon Online 2020 are now available on the [Laracon Online website](https://laracon.net). Snag yours and get ready for a full day of wonderful talks and exciting announcements!
Taylor Otwell
Laravel is the most productive way to
build, deploy, and monitor software.
