Best of PHP — March 2026

1
Article
Laravel News·6w
Ward: A Security Scanner for Laravel
Ward is a Go-based command-line security scanner built specifically for Laravel projects. It parses Laravel's structure (routes, models, controllers, Blade templates, config files, env vars, dependencies) and runs four targeted scan engines: env-scanner, config-scanner, dependency-scanner (using live OSV.dev data), and a rules-scanner with 42 built-in rules covering secrets, injection, XSS, weak crypto, and more. It features a terminal UI, multiple output formats (JSON, SARIF, HTML, Markdown), CI/CD integration with exit-code gating, baseline management to track acknowledged findings, custom rule support, and scan history diffing.
74
1
2
Article
Laravel·6w
Laravel February Product Updates
Laravel's February 2026 updates span the entire ecosystem. The Framework 12.x gained AI SDK provider default model configuration via config/ai.php, a new Svelte starter kit with Inertia, and VS Code test runner integration. Laravel Cloud launched a fully programmable API for managing deployments, databases, and scaling (useful for CI/CD and AI agents), a new CLI, and issued a MySQL 8.0 end-of-life notice urging upgrades to 8.4 LTS before April 2026. Laravel Forge added npm private package support with automatic .npmrc management, MySQL 9.x support for new servers, and an OpenClaw server type. Laravel Nightwatch introduced an MCP server for querying observability data from your editor, Linear integration for issue tracking, sort-by-occurrences for exceptions, and per-user filtering across requests, jobs, and logs.
40
3
Article
PHP·5w
PHP: PHP 8.4.19 Release Announcement
PHP 8.4.19 has been released as a bug fix update. All PHP 8.4 users are encouraged to upgrade. Source downloads and Windows binaries are available on the official PHP downloads page, with the full list of changes in the ChangeLog.
38
1
4
Article
Laravel News·4w
Circuit Breaker for Laravel
The circuit-breaker package for Laravel implements the circuit breaker pattern to prevent cascading failures when downstream services are unavailable. It supports three circuit states (closed, open, half-open), named circuits for per-service isolation, lifecycle callbacks (onOpen, onSuccess, onFailure), and Guzzle middleware integration via an X-Circuit-Key header. Service calls are wrapped with a run() method, and the circuit automatically decides whether to allow, block, or test each call based on current state.
39
5
Article
Make WordPress Core·6w
PHP-only block registration
WordPress now supports PHP-only block registration, allowing developers to create simple blocks without any JavaScript. By calling register_block_type with the new autoRegister flag and a render_callback, blocks automatically appear in the editor. The editor also auto-generates Inspector Controls sidebar UI for supported attribute types, making it easier to build server-side-rendered blocks with minimal setup.
35
4
6
Article
Laravel News·4w
Browse and Execute Artisan Commands from an Interactive TUI
Artisan Browse is a Laravel package by Josh Embling that provides an interactive terminal UI (TUI) for discovering, searching, and executing Artisan commands without leaving the terminal. Key features include searchable command lists with descriptions, namespace filtering, step-by-step argument and option prompts, a command preview before execution, configurable blacklists and scroll behavior, and an auto-execute option. It is intended for local development use only.
30
1
7
Article
Laravel News·6w
Filament v5.3.0 Released with Deferred Tab Badges and Column Manager Improvements
Filament v5.3.0 introduces ten new features for the Laravel admin panel framework. Key additions include deferred tab badge loading to avoid expensive database queries on page load, column manager support for modal and slideover display modes, RichEditor plugin enhancements allowing custom file attachment providers and toolbar button control, and sort loading indicators on table columns. Other improvements include rate limiting by user ID and email, UnitEnum support for navigation groups, a new Callout controls slot, additional Tailwind CSS color options, and expanded resource configuration. Two bug fixes address sidebar state restoration and a missing chart widget translation.
29
1
8
Article
Laravel News·3w
Liminal: A Browser-Based IDE for Laravel Powered by WebAssembly
Liminal is a browser-based IDE that runs PHP 8.4 via WebAssembly, enabling full Laravel development without any local installation or server setup. It includes a code editor with syntax highlighting (CodeMirror 6), a preview pane with Tailwind CSS v4, an Artisan terminal, and an OpenAI-powered AI agent. Notable features include shareable URLs that encode file state, GitHub import, zip export, and local folder sync via the File System Access API. Limitations include no external network access from PHP, SQLite-only database support, a fixed vendor directory, and slower-than-native performance. The project is built with Vue 3, TypeScript, Vite, and Tailwind CSS v4.
25
9
Article
Collections·4w
Laravel 13: PHP 8.3 required, native Attributes, AI SDK, and vector search
Laravel 13 is released with PHP 8.3 as the minimum requirement. The headline feature is 36 new native PHP attributes covering Eloquent models, queue jobs, Artisan commands, and routing — usable as an opt-in alternative to traditional class properties. The first-party AI SDK (text generation, tool-calling, embeddings, vector store) is now officially stable, as is native JSON:API resource support. New additions include semantic/vector search via pgvector for PostgreSQL, centralized queue routing with Queue::route(), and Cache::touch() for TTL extension. The Laravel Boost installer also gains an AI-assisted upgrade command as an alternative to Laravel Shift. Laravel 11 loses security fix support with this release.
19
10
Article
Socket·6w
Malicious Packagist Packages Disguised as Laravel Utilities ...
Socket's Threat Research Team discovered a remote access trojan (RAT) distributed through three Packagist packages by threat actor nhattuanbl, disguised as Laravel utilities. The packages nhattuanbl/lara-helper and nhattuanbl/simple-queue contain an identical obfuscated PHP RAT payload in helper.php, while nhattuanbl/lara-swagger acts as a clean-looking vector that silently pulls in lara-helper as a Composer dependency. Once loaded, the RAT connects to a C2 server, supports shell execution, file read/write, screenshots, and system reconnaissance, and runs persistently in the background. The payload uses goto spaghetti, hex/octal string encoding, and randomized identifiers to evade static analysis. Affected hosts should be treated as fully compromised, with all secrets rotated and the payload removed. Key takeaways: transitive dependencies deserve the same scrutiny as direct installs, and dev-master constraints are high-risk in production.
19
1
11
Article
Laravel News·3w
New Expressive Model Attributes in Laravel 13.2.0
Laravel 13.2.0 introduces several developer experience improvements. New symmetrical PHP attributes for Eloquent models (e.g., #[DateFormat], #[WithoutTimestamps]) replace multi-parameter attributes with single-purpose ones. Queue attributes #[Queue] and #[Connection] now accept backed enums directly without calling ->value. The withoutOverlapping() method gains a releaseOnSignal parameter to release overlap locks on process termination signals. UniqueConstraintViolationException now exposes column and index details per database driver. Other improvements include variadic #[Backoff] attribute support, magic factory methods accepting multiple arrays, schedule:list timezone fixes, and various bug fixes across queues, models, collections, HTTP streaming, and testing.
24
12
Article
Symfony·3w
Introducing the Symfony Tui Component (Symfony Blog)
Fabien Potencier announces the Symfony Tui component, a new PHP library for building rich interactive terminal user interfaces. It splits responsibilities previously mixed in the Console component: Console handles commands and arguments, while Tui handles widgets, layouts, styling, input, mouse support, and real-time rendering. The component ships with a full widget toolkit (text, input, editor, select lists, markdown, images, progress bars, overlays), a CSS-like styling system with Tailwind utility classes and stylesheet rules, Twig-based declarative templates, and a smart rendering pipeline with dirty tracking, render caching, and screen diffing. It runs on PHP Fibers and the Revolt event loop for concurrency without extensions, requiring PHP 8.4+. The component is already used in production powering an AI coding agent.
26
2
13
Video
Stefan Mischook·4w
Laravel Just Confirmed What Some Developers Don’t Want to Hear
Laravel 12 has released an official AI SDK that provides a framework-native API for text generation, embeddings, tool-based interactions, agents, memory, structured output, and streaming. The SDK supports multiple AI providers (Anthropic, Gemini, OpenAI, and others) behind a consistent interface with automatic fallbacks for rate limits and outages. Beyond the announcement, the broader argument is that AI is not replacing developers but changing how development works — early adopters of new paradigms historically thrive, and trained developers with strong fundamentals and system-level thinking will be the best users of AI tools.
21
1
14
Article
Laravel News·5w
Model::withoutRelation() in Laravel 12.54.0
Laravel 12.54.0 ships several new features and bug fixes. The headline addition is Model::withoutRelation(), which clones a model with specific relations removed without mutating the original — useful for serialization, queued jobs, and circular reference handling. Other additions include an interval() method on InteractsWithData for parsing duration inputs into CarbonInterval, improved Response::dump() output that now includes request method, URL, and status code, BinaryFileResponse assertion support in HTTP tests, queue:monitor showing oldest pending job age in standard output, custom CommonMark extensions for mail Markdown rendering, a composite index on the jobs table for better queue polling performance, and native tsvector column type support in the PostgreSQL schema builder. Bug fixes cover queue deadlocks, database migration edge cases, URL validation for punycode subdomains, filesystem permission issues, and a CommonMark security update.
17
15
Article
stitcher.io·6w
"A" for "Artificial"
A short reflection on treating AI as just another tool, drawing a parallel to PHP — a language often dismissed but valued by those who know its strengths and limitations. The piece uses dictionary definitions of 'artificial' to ground the argument that AI, despite the hype, is ultimately a human-made tool with specific use cases, advantages, and drawbacks.
17
16
Article
Laravel News·3w
Take the Pain Out of Data Imports with Laravel Ingest
Laravel Ingest is a configuration-driven ETL package for Laravel that replaces ad-hoc import scripts with declarative importer classes. It streams CSV/Excel files of any size using PHP Generators and Laravel Queues to keep memory usage flat. Key features include fluent IngestConfig builder, automatic BelongsTo/BelongsToMany relationship resolution, duplicate handling strategies (SKIP, CREATE, UPDATE, UPDATE_IF_NEWER), dry-run validation mode, failed row tracking with CSV export, column aliasing, and support for multiple import sources including S3, FTP, and SFTP. Each registered importer automatically gets both an Artisan command and a REST API endpoint, plus monitoring commands for checking status, cancelling, and retrying failed rows.
18
17
Article
DigitalOcean Community·5w
How To Work with JSON in MySQL
MySQL 5.7.8+ supports a native JSON data type that bridges relational and document-style storage. This tutorial walks through creating a database schema with a JSON column, then demonstrates CRUD operations using MySQL's built-in JSON functions: JSON_OBJECT, JSON_ARRAY, JSON_MERGE_PRESERVE for creating data; JSON_EXTRACT (and the -> operator) for querying; JSON_INSERT, JSON_REPLACE, and JSON_SET for updating; and JSON_REMOVE for deleting specific keys. The second half covers integrating this with Laravel's Eloquent ORM, including migrations with json() column type, model casting of JSON to arrays, and querying JSON attributes using the attributes->key syntax in where clauses.
13
18
Article
Symfony·6w
Introducing AI Skills for Symfony UX (Symfony Blog)
Symfony UX now has a set of AI skills — structured knowledge packages (SKILL.md files) following the open Agent Skills standard — designed to help AI coding agents like Claude Code, Cursor, Windsurf, and Gemini CLI understand when and how to use Stimulus, Turbo, TwigComponent, and LiveComponent. Created by Simon André (SensioLabs), the skills cover decision trees, best practices, common pitfalls, and idiomatic patterns for the full Symfony UX frontend stack. They activate automatically when the agent detects a relevant task, require no explicit invocation, and can be installed globally or per-project. The skill files are also useful as curated reference material for human developers learning Symfony UX.
13
19
Article
Laravel News·4w
Lens for Laravel Brings WCAG Auditing to Your Local Dev Workflow
Lens for Laravel is a dev-only package that scans Laravel applications for WCAG accessibility violations using Axe-core and a headless Chromium browser. It maps each issue back to the specific Blade template file and line number, and provides a web dashboard, an Artisan CLI command for CI/CD integration, and optional AI-assisted fix suggestions via Gemini, OpenAI, or Anthropic. The dashboard supports single-page, multi-URL, and full-site crawl audits, groups results by WCAG level (A, AA, AAA), and can export PDF reports. The package is restricted to local environments by default. Automated scanning catches roughly 20–30% of WCAG violations, so manual testing remains necessary for full compliance.
12
2

See all PHP archives