Best of PHPApril 2026

  1. 1
    Video
    Avatar of fireshipFireship·3w

    A rich hacker just penetrated 31 WordPress plugins...

    A supply chain attack compromised 31 WordPress plugins after an attacker purchased them via Flippa, inserted a dormant backdoor, and later activated malicious payloads that modified core WordPress files including wp-config.php. The command-and-control domain was resolved through an Ethereum smart contract, making it resilient to takedowns. The attack bypassed normal security suspicion by arriving as a routine plugin update. The post also covers Cloudflare's new Mdash project, a WordPress-compatible alternative built on Astro that sandboxes plugins using dynamic workers and capability-based bindings to prevent the kind of full-privilege access that makes WordPress plugins dangerous.

  2. 2
    Article
    Avatar of phpdevPHP Dev·4w

    DebugPHP is live. Free, open-source, real-time PHP debugging in the browser.

    DebugPHP is a free, MIT-licensed, open-source PHP debugging tool that lets developers send any variable or data to a live browser dashboard using a single `Debug::send()` call. It requires no configuration, no desktop app, and no page reloads. Features include real-time log entries with filtering, table rendering, a built-in timer, live toolbar metrics, automatic environment detection, and click-to-open IDE integration (VS Code, Cursor, PhpStorm, Sublime). It has zero runtime dependencies beyond ext-curl, is fully self-hostable, and collects no telemetry.

  3. 3
    Article
    Avatar of lnLaravel News·4w

    Pretty PHP Info: A Modern Replacement for `phpinfo()`

    Pretty PHP Info is a PHP package that replaces the default `phpinfo()` output with a modern, dark-mode-ready, searchable UI. Beyond the visual upgrade, it provides a programmatic API via `Info::capture()` to query PHP configuration, check loaded modules, and retrieve both local and master (php.ini default) values for any directive — something `ini_get()` alone cannot do. The package supports iterating over the full configuration structure using collection methods, and can parse previously saved phpinfo HTML or text output. Requires PHP 8.3+ and ext-dom, installable via Composer.

  4. 4
    Article
    Avatar of lnLaravel News·5w

    Manage Software Licenses in Laravel with Laravel Licensing

    Laravel Licensing is a package that brings enterprise-grade software license management to Laravel applications. It supports offline verification using PASETO v4 tokens signed with Ed25519, seat-based license enforcement, multi-product isolation via License Scopes with separate signing keys, grace periods, renewals, expiration, and full audit logging. The package provides artisan commands for generating root certificates and signing keys, and a fluent API for creating licenses, registering devices, and issuing offline verification tokens. Two companion packages extend the ecosystem: a client-side validator and a Filament admin panel for managing licenses and monitoring seat usage.

  5. 5
    Article
    Avatar of newstackThe New Stack·3w

    Who will maintain the web when PHP’s veterans retire?

    A Perforce 2026 PHP Landscape Report surveying over 700 developers reveals a growing skills gap in the PHP ecosystem: more than half of PHP developers have 15+ years of experience, while only 15% have five years or less. Hiring has become the top challenge for PHP team managers, with 24% citing lack of skilled personnel as a leading operational concern. Analysts warn this isn't just a PHP problem but an open source problem, compounded by AI-generated code creating silent technical debt without enough junior developers to manage it. Despite the talent crunch, PHP remains foundational — tied with JavaScript at 72% usage — powering millions of e-commerce sites, WordPress installations, and APIs, mostly at companies with fewer than 500 employees. Symfony and Laravel lead the framework landscape.

  6. 6
    Article
    Avatar of phpdevPHP Dev·3w

    DebugPHP — Framework Support is here. Laravel logs, zero config.

    DebugPHP has added Laravel framework support, allowing developers to stream Laravel log output (Log::info, Log::warning, Log::error) directly to the DebugPHP dashboard with just two lines of code and zero configuration. No middleware, facades, or boilerplate required.

  7. 7
    Article
    Avatar of laravelLaravel·3w

    How I Built an AI-Powered CRM with Laravel in a Week

    A senior freelance PHP developer shares how he built an AI-powered CRM MVP for an emergency response center in under a week using Laravel. The stack included Laravel Herd for local development, Laravel Cloud for CI/CD and deployment, Tailwind CSS and Alpine.js for the frontend, and the Laravel AI SDK with OpenAI Whisper for voice transcription. Push notifications via Laravel WebPush enabled a PWA experience indistinguishable from a native app. The project's success has the developer considering turning it into a multi-tenant micro-SaaS.

  8. 8
    Article
    Avatar of phpPHP·4w

    PHP: PHP 8.5.5 Release Announcement

    The PHP development team has released PHP 8.5.5, a bug fix update for the PHP 8.5 branch. All PHP 8.5 users are encouraged to upgrade. Source downloads and Windows binaries are available on the official PHP downloads page, with the full list of changes in the ChangeLog.

  9. 9
    Article
    Avatar of phpdevPHP Dev·2w

    DebugPHP — Docker support is here.

    DebugPHP Server now supports Docker with a three-command setup using Dockerfile and Compose config. Setting `dockerized: true` in the client config enables automatic server discovery by probing `debugphp-server`, `host.docker.internal`, and `127.0.0.1` in sequence, with results cached for an hour to eliminate per-request overhead. No hardcoded IPs or manual host configuration required.

  10. 10
    Article
    Avatar of vigetViget·1w

    Craft 6 and Laravel: What You Need To Know

    Craft CMS is migrating from Yii 2 to Laravel in its upcoming version 6, announced at Dot All 2025. The transition is designed to be low-friction thanks to a first-party Yii 2 adapter package (`craftcms/yii2-adapter`) that bridges Yii 2 API calls to Laravel equivalents at runtime, allowing most plugins to work without code changes. The core Craft architecture — Elements, Fields, Sections, Matrix, Twig templating — remains unchanged; only the underlying framework plumbing is swapped. Craft 6 also brings new content authoring features including content releases, scheduled drafts, approval workflows, and a redesigned UI with dark mode and WCAG 2.2 compliance. Craft 5 has been designated an LTS release with support through 2031, removing any urgency to migrate immediately. Craft 6 stable release is targeted for Q4 2026.

  11. 11
    Article
    Avatar of lnLaravel News·2w

    Laravel Mobile Pass: Generate Apple Wallet and Google Wallet Passes

    Laravel Mobile Pass is a new Spatie package that lets you generate Apple Wallet and Google Wallet passes directly from a Laravel application. It supports boarding passes, event tickets, coupons, store cards, membership cards, and gift cards. The package provides a unified builder API for both platforms, returning a MobilePass Eloquent model that implements Laravel's Responsable interface to serve the correct format per platform. It also supports live pass updates pushed to already-installed passes via a PushPassUpdateJob, with optional queue support. A live demo is available to test all pass types and the push update mechanism.

  12. 12
    Article
    Avatar of socketdevSocket·2w

    Introducing Reachability for PHP

    Socket is launching experimental reachability analysis for PHP, enabling teams to determine which CVEs are actually exploitable in their specific codebase rather than triaging every advisory blindly. The engine uses function-level call graph analysis with both Tier 1 (against actual source code) and Tier 2 (pre-computed against dependency graph) modes. Key technical challenges addressed include PHP's __call magic method dispatch (used in Laravel Facades, Doctrine proxies, PHPUnit mocks) and string-based class instantiation patterns used by Laravel, Symfony, and PHP-DI containers. A concrete example with CVE-2022-29248 in guzzlehttp/guzzle demonstrates how two apps on the same vulnerable Guzzle version get different verdicts based on whether they use cookie jar handling. The engine achieves over 90% accuracy on WordPress, PHPUnit, and Flysystem, and mid-to-high 80s on Twig and Espo, validated against dynamically observed call graphs.

  13. 13
    Article
    Avatar of symfonySymfony·4w

    Symfony UX 3.0.0 Released (Symfony Blog)

    Symfony UX 3.0.0 is a new major release that drops all deprecations from the 2.x cycle and raises minimum requirements to PHP 8.4 and Symfony 7.4. Four packages have been removed: Swup, LazyImage, Typed, and TogglePassword, as their functionality is now either natively available in browsers or easily replicated with a few lines of code. Key breaking changes include: LiveComponent's CSRF argument removal (same-origin/CORS protection is now default), TwigComponent configuration updates, Map Twig function renames, StimulusBundle cleanup, Google Maps bridge upgrade to @googlemaps/js-api-loader 2.0, and Cropper rotation now always applied automatically. The test infrastructure has also been modernized to use PHPUnit 11 directly instead of the Symfony PHPUnit Bridge. An UPGRADE-3.0.md file is available with detailed migration instructions.

  14. 14
    Article
    Avatar of lnLaravel News·4w

    PestPHP Intellisense in Laravel VS Code Extension v1.7.0

    Laravel VS Code Extension v1.7.0 introduces PestPHP intellisense with autocomplete for custom expectations and test configurations, generating helper docblocks stored in storage/framework/testing/_pest.php. The release also adds a 'Go to Route' command palette action for navigating directly to route handlers, a curated set of common Artisan commands with terminal execution inside VS Code, and autocompletion/diagnostics support for new Laravel 13 attributes including routing and Eloquent model attributes.

  15. 15
    Article
    Avatar of lnLaravel News·5w

    Log User Activity in Your Laravel App with Activity Log v5

    Laravel Activitylog v5 by Spatie has been released with PHP 8.4 and Laravel 12 as minimum requirements. Key additions include a unified HasActivity trait replacing the separate LogsActivity and CausesActivity traits, an activity buffering feature for bulk inserts (enabled via env or config), and a new defaultCauser() API. Model change tracking now uses a dedicated attribute_changes column instead of the properties JSON column. Several methods and config keys were renamed for consistency, and the batch/pipe systems were removed entirely.

  16. 16
    Article
    Avatar of lnLaravel News·1w

    Interruptible Jobs in Laravel 13.7.0

    Laravel v13.7.0 ships several new features: the Interruptible interface lets queued jobs respond to worker signals like SIGTERM for graceful cleanup, a new WorkerInterrupted event enables observability when workers receive signals, the @fonts Blade directive and Vite::fonts() method add font preload and inline style rendering from Vite font manifests, bulk JSON path assertions (assertJsonPaths/assertJsonMissingPaths) simplify testing multiple response values at once, and SortDirection enum support improves type safety in collection sorting. Additional improvements include LazyCollection keyBy() accepting BackedEnum, an isLocked() method on the Lock class, and enum support across several manager classes.

  17. 17
    Article
    Avatar of laravelLaravel·4w

    Meet Maestro: How We Manage 21 Laravel Starter Kit Variants

    Maestro is an internal orchestration tool built by the Laravel team to manage 21 starter kit variants across 8 repositories. Instead of manually propagating changes across every repo, Maestro uses a layered build system where shared, framework-specific, auth-specific, and feature-specific layers are composed into final runnable kits. Contributors work on a built variant in a single directory, and a watcher syncs changes back to the correct source layer using priority-based ownership logic. Placeholder restoration ensures framework-specific values don't leak into shared source files. The tool also provides CLI commands for linting, validation, and browser testing across the full matrix or a targeted subset, significantly reducing the cognitive overhead for contributors.

  18. 18
    Article
    Avatar of lnLaravel News·3w

    Redis Cluster Support for Queues in Laravel 13.5.0

    Laravel 13.5.0 ships first-class Redis Cluster support for the queue driver and ConcurrencyLimiter, resolving CROSSSLOT errors on AWS ElastiCache Serverless and other cluster deployments by automatically wrapping queue names in Redis hash tags. The release also completes #[Delay] attribute support for queued mailables, enables Controller Middleware attribute inheritance in child controllers, expands UnitEnum support across CacheManager, MailManager, and AuthManager, adds Closure support to updateOrCreate and firstOrNew, and introduces a Cache::handleUnserializableClassUsing() hook for detecting broken cache values. Several bug fixes are included for queue lock handling, auth redirect callbacks, and phpredis SSL options.

  19. 19
    Article
    Avatar of lnLaravel News·3w

    Composer 2.9.6 Fixes Two Perforce Command Injection Vulnerabilities

    Composer 2.9.6 and 2.2.27 LTS have been released to patch two command injection vulnerabilities (CVE-2026-40261 and CVE-2026-40176) in the Perforce VCS driver. The first flaw affects the generateP4Command() method and can be triggered via malicious Perforce connection parameters in a root composer.json. The second affects syncCodeBase() and allows injection via a crafted source reference when installing dependencies from a compromised repository, even without Perforce installed. No exploitation in the wild has been detected. Users should run `composer self-update` immediately and prefer --prefer-dist installs to reduce exposure.

  20. 20
    Article
    Avatar of lnLaravel News·2w

    Debounceable Queued Jobs in Laravel 13.6.0

    Laravel 13.6.0 ships several notable features. The headline addition is debounceable queued jobs via the #[DebounceFor] attribute — when the same job is dispatched multiple times within a time window, only the last dispatch executes. A maxWait parameter prevents indefinite deferral. The release also adds JSON response support for the built-in /up health route (useful for API-only apps and load balancers), a new JsonFormatter for structured logging compatible with ELK/Datadog, and Cloudflare Email Service integration. Testing improvements include multi-record assertions for assertDatabaseHas/assertDatabaseMissing, and the hasAttached factory method now accepts arrays of pivot arrays. Additional fixes cover validation rules, enum support in BroadcastManager, PasswordBrokerManager, and NotificationChannelManager, plus SQS named credential providers.

  21. 21
    Article
    Avatar of lnLaravel News·4w

    Laravel Starter Kits Now Include Toast Notifications

    All four official Laravel starter kits (React, Vue, Svelte, and Livewire) now ship with built-in toast notifications, replacing the previous inline action messages. For Inertia-based stacks, a new `Inertia::flash()` server-side call passes toast data to the frontend, where a `useFlashToast` hook triggers Sonner toasts. The Livewire kit uses Flux's built-in `Flux::toast()` method with a persisted toast group. Toasts are pre-wired for profile updates, password changes, and email verification, and developers can extend them to custom actions using the existing plumbing.

  22. 22
    Article
    Avatar of stitcherstitcher.io·5w

    Dependency Hygiene

    A PHP developer scanned 1554 Packagist projects and found that 229 (roughly 15%) include unnecessary polyfill or compatibility packages despite requiring a PHP version where those packages are no longer needed. The post raises questions about how carefully developers vet their dependencies, drawing parallels to recent NPM supply-chain attacks. The author sent PRs to all affected projects and reflects on whether the convenience of package managers has made developers too passive about what code they pull in.

  23. 23
    Article
    Avatar of lnLaravel News·1w

    Polyscope for Windows is Now Available

    Polyscope, an AI agent workspace manager for Laravel developers, is now available on Windows. It brings the same features as the macOS version, including parallel branch workspaces with separate .test domains, built-in checkpoints for reviewing and rolling back agent changes, a process runner for auto-starting services like queue workers and npm scripts, and a mobile UI for remote monitoring. Laravel Herd integration is included, and Linux support is planned next.

  24. 24
    Article
    Avatar of lnLaravel News·4w

    ArtisanFlow: A Flowchart Engine for Laravel and Alpine.js

    ArtisanFlow is an alpha-stage open source package that brings node-based flowchart UIs to Laravel applications. It consists of two packages: AlpineFlow (the core frontend engine built on Alpine.js) and WireFlow (a Laravel/Livewire companion using Blade components). Key features include directive-driven node building with x-flow-* Alpine directives, a built-in animation engine with particles and path motion, smart edge routing, deep node nesting with parent/child hierarchies, and zero-JS Livewire integration. WireFlow supports two-way data sync via Livewire entangle(), server-driven canvas updates, custom node types via Blade views, and event handling routed to Livewire component methods. It also ships with a real-time collaboration add-on using Laravel Reverb and AI-optimized documentation compatible with tools like Claude Code and Cursor.

  25. 25
    Article
    Avatar of idialloIbrahim Diallo·5w

    AI Did It in 12 Minutes. It Took Me 10 Hours to Fix It

    A developer shares a firsthand experience using an AI coding agent (GLM-5 via z.ai) to build a PHP media manager for a personal blog. The AI generated ~5,000 lines of spaghetti code in 12 minutes, but it took 10 hours of debugging, restructuring, and rewriting to produce a maintainable 1,254-line codebase. Key issues included incorrect file includes, missing session_start() calls, SQLite permission quirks, and conflicting system prompts causing Node.js code generation. The author reflects on the real cost of AI-generated code: the cleanup and comprehension burden often negates the speed gains, and deploying code you don't understand is a liability.

See all PHP archives