Laravel 13.4, Cloud CLI, AI Agents & Axios Hack — Laravel News Podcast 256

Hey everybody, how's it going? Uh, Michael caught me off guard. We are on episode 256. It is Monday the 13th, April uh 13th of April, 2026. Welcome to the show. We have all of our stuff together. We know what we are doing. We are professionals. We are prof Don't question it. Sure. Just go with it. Guys and girls, I got to tell you, how could you How could you question it at this point? Exactly. No, nobody's questioning it. I I have got I think probably the biggest knot in my shoulder I've ever had in my life. Like it it's it's right right there. I'm going to have to go uh grab my theraane. Thank you, Caleb Porzio, for the wonderful suggestion. Um Caleb Porzio, by the way, if you do not know who Caleb Porio is, you should. creator of Livewire and Alpine and all things uh string, the string king back in the day. Um, but he has a podcast called Notes on Work, which I love. It's one of my favorite podcasts. And he just turns on the mic and just records for whatever. And he had one podcast not too long ago where he just talked about all his favorite things. It was like Oprah's favorite things, but Caleb. And he didn't give anything away on the show like Oprah does, but he talked about all these cool things that he likes. And the theane was one of them. and I am going to use it tonight. Nothing to do with the show, but here we are. Michael, how's it going, my friend? Going good. I uh those of you, all of you who watch the podcast, I think I've got all the glisten off my face. I just I got we we've deployed our uh Laravel 13 upgrade to production last night and it all appeared to go well, but we had there was there's a library that we used to connect to Salesforce and because of the like saloon exploit that was patched last week. Between when we opened the Laravel 13 PR and then shipped the Saloon 4 fix and then did the Laravel 13 upgrade, we got a a patch release of this library and that changed the way that it was handling things in confluence with the saloon changes for the CVE and that then meant that all of our Salesforce stuff broke because it ced like an empty token and then tried to reuse it for everything. So that was a bit of fun. So I was laid out the door to go for my run. So I'm still Oh, that sounds so fun. damp. Fortunately, it was a reasonably quick fix. The other one, while we're talking about it, because we're going to get into Laravel 13 here, it of course Laravel 13 also changed the way that it resolves routes in terms of like Yeah. So, it's not it's not strictly top to bottom anymore, but it's also it there's something in there around um the the um explicitness. So, we had like a a a catch all route in there that would catch everything and and send it to like a platform specific. So, we we host like four different frontends on the same application. And so, everything goes through this front-end controller or this platform specific controller. And the route was defined with a reax that basically said catch everything you know star yeah that hasn't been previously registered and that that worked in laral 12 and laral 13 something changed and I'm don't know this can't remember the specifics but we had to put in like a a negative look ahead to make sure that like everything that's in / ai doesn't get caught everything that's in this and that and the other and so one of the packages that we use to provide again for Salesforce external objects using the o data protocol um it wasn't in that negative look ahead. So, all of those things got were returning the wrong Oh, boy. um route URLs. So, boy small fixes, but yeah, something to be aware of if your routes mystically stop working in Laravel 13. So, okay, we have that is a good one. That is a good one to uh be aware of because that one can bite you. Yeah, it sounds like it, boy. Okay, thanks for the uh heads up on that. Hey, shall we start into the episode then? Episode 256. Should we jump into it? Okay. Unit test attribute and more in Laravel 13.3.0. So we're already at 13.3. Uh we've got a couple patch releases in here. Um so let's jump right into it. A unit test attribute. So this new unit test attribute lets you skip framework booting for individual test methods within a test case that extends the Laravel's base test case. This is useful um when most tests in a class need the container, but a few are pure unit tests that don't. So typically it's going to boot up everything um and you just extend the test case and you're all set. Just handles that boots it all up. But you may have sort of a mixed bag sometimes where in some of these tests we don't actually want to do that. So without this every test in the class pays the cost of booting the entire framework. But with that pound unit test attribute I'm just saying pound because that's how you define that's how you like specify an attribute. compound bracket unit test. Those specific methods run as bare PHP unit tests. They will not boot the framework. So that could be obviously the thing we're looking for here is speed. Once you get a test suite that's of a sufficient size, you're really sort of doing anything you can do to get that thing to run faster. And so this is one of those ways. Uh you can see details for that in poll request 59432. Variatic model attributes. If you've not heard of a variatic attribute before, um, you are in luck because while I've heard of them before, I might have to relearn them right now. So, let's learn together, shall we? Several eloquent methods, sorry, several eloquent model attributes. Still talking about attributes here. Now, accept variatic arguments. So, previously you had to pass an array, but instead now you can pass each as a separate argument because it is a variatic argument. The signature will then take those and push them into an array on the back end. Right? So you can pass as many as you'd like in and then it will just extract those and use those as an array. Passing a single array is still supported. So there's no breaking changes of course but instead of having to wrap that in a bracket you can now just pass them as you know basically like a commaepparated list almost. So before fillable and hidden are the two that they're using here. You would have had to do attribute fillable bracket to start the array. First name, last name, end of the bracket. After you can now just say fillable PN first name, comma, last name, comma, password, whatever it is, right? You would probably want that to be fillable, but you get the idea. Passing a single array is still supported as was as was stated. Okay. A new batch started event will fire when the first job in a batch is processed. This is true regardless of if it succeeds or fails. And so what this does is this fills this gap that existed in this batch life cycle. We already had a couple events, four of them to be specific. Batch dispatched, batch started, batch sorry, batch started wasn't in there. Batch finished, batch canceled. Uh but now the batch started event is the new one. So this makes it possible to distinguish between a batch that's been cued and one that's actively being worked, which is useful for progress monitoring and UI updates. So previously all you could do is say batch dispatched. It got pushed to the queue. Awesome. I need to know when the first job is actually getting worked. That's what the batch started is is doing for you there. Memory usage in verbose Q worker output. If you didn't know this in most commands just across the board dash V after the command will mean give me output that is really specific. The V stands for verbose. And so in this case we now have memory usage which is getting included when you pass that verbose flag. So each process job now includes current memory usage alongside the existing timing information. The memory reading uses the same logic as the worker's internal memory exceeded check. So it gives you a direct view of how close a job is pushing towards that memory limit. Um and so very helpful for debugging there trying to figure out exactly how much memory is getting used by a specific job. Of course, there's other Q there's other fixes and improvements in this one uh regarding Q workers, scheduling models and database, HTTPs and request, URIs, etc. The list goes on and on. We just like to hit the highlights. Thanks for writing that one up for us, Mr. Paul Redmond, everyone's favorite human. All right, folks, moving on. Can I just expand on the unit test attribute? uh Luke Kousmish uh contributed this and he's talking about this in the context of a a modular monolithic application where you've got lots of code in there and it's like you're going to have a whole bunch of tests and most of them are going to want to boot the framework and make a request for something but you you may need to do something that is testing the surface area of like a service class and rather than splitting that out for whatever reason you know you want to collocate the test all together that's that's realistically what this attribute is for to avoid like in the context, you know, to keep everything contextualized, but to allow you to then say, "No, this thing doesn't actually need the framework. We just want to, you know, run some tests again against a a plain PHP class." In addition to that, Tim McDonald just casually in the replies somewhere yesterday, and I'll include a link to this uh in in the show notes, was just a bunch of tips around performance improvements to uh testing. So talking about uh being careful with eloquent factories, using lazily refreshed database, using the with cached config and with cached routes uh attributes uh traits on your test, there's there's like 15 dot points here. This is just just in a screenshot that he's shared. So um I of course reached out to him and said you need to put this into a conference talk because there's exactly there's a conference talk worth of stuff in here. Um but I'll include a link to that in the show notes because we could all use a faster test suite, I think. Absolutely. Uh, Laravel's VS Code extension version 1.7 brings pest PHP IntelliSense with autocomplete and custom expectations, test configurations, and a new go to route command, common artisan commands with terminal execution and support for the new Laravel 13 attributes. So, first up, the extension now inspects your project's pest configuration and generates helper doloss that preserve the correct this type inside of pest hooks and tests. It will also expose custom expectation methods giving you autocomplete for pest extend and pest use which is extremely helpful. It's always difficult because all of this works with voodoo magic and high order proxies and god knows what else that Nuno and the team have cooked up but having proper type completion across editors is extremely helpful. A new command pallet action Laravel go to route opens a picker listing all application routes and navigates directly to the selected route handler. So whether that's a closure or a controller or whatever uh that is in there. Now the release also adds a curated curated set of common artisan commands to the command pallet with terminal based execution. Commands run in a dedicated Laravel artisan terminal so you can see output directly in VS code. The list includes commands for migrations, database tools, Q management, cing, tinker, route listing, and more. And lastly, uh, Laravel 13 attributes. The extension will now provide auto completion, linking, hovering, and diagnostics for new Laravel 13 attributes, including routing attributes and eloquent model attributes. Thanks to all of the contributors for that one. Well, folks, we're going to move on to the news. And I hate to be the bearer of bad news, but sometimes it has to happen. If you did not know about this yet, you're going to want to. Axios npm package was compromised with a rat, remote access trojan. So, let's talk about this real quick. Axios is an HTTP client library, meaning it's on the JavaScript side of things. Uh, Laravel has used this for a very long time. um as has inertia as has a lot of other um projects right Axios is one of the most widely used JavaScript HTTP clients across the board uh it's a common dependency in Vit inertia any any nodebased pipelines so uh what happened is that Axios version 1.14.1 and 030.4 four were compromised. So, what exactly happened? Well, there's lots of writeups on this, but one of the primary maintainers, if you read through the situation of how he actually got compromised, you're going to feel for the dude because it was so clever the way that they did this social engineering to really just lower his defenses. It It was It wasn't just like a oops, he clicked a link. It was like lots of stuff leading up to that that just sort of made it very very comfortable and like, "Oh, yeah, just one more thing. click this and that was it, right? And so um after the maintainer was after his account was compromised um the attacker installed a single new dependency um in like the dependency tree but changed none of the Axio source code and then what happened is in a postinstall command it would then drop this uh remote access Trojan onto the machine of the developer. It was it was Mac, Linux, um where was it? Windows 2, I guess. I don't know. I'm thinking I'm not sure exactly, but yeah, it wouldn't surprise me. Yeah. So, it was sort of across the board. So, just to be clear, um this is not a Laravel vulnerability, but they did announce that they're taking proactive steps to protect the community from the supply this supply chain attack. And they're telling people like if you installed or updated this in the last you know little bit here in the last couple weeks scan your machine. Uh the Laravel team has pinned Axios to a safe version and Laravel/ Laravel. The Laravel installer now runs package installs with ignore scripts by default and then they also blocked the attacker's domain across Laravel cloud. Uh Pushpack also shared a prompt that you can use to scan your local computer to check for any vulnerable installs. If you happen to be one of those who was affected, uh, meaning you installed Axios 1.14.1 or 0.3.4 during the window that they were available, you basically need to treat your machine as if it's been compromised. So, the recommendations are to remove those poison packages, check for any artifacts, rotate any credentials and tokens on all the affected machines. We if you're curious about how to protect yourself from something like this happening again in the future, we just talked about this on the Northme Southway podcast. So there's a couple things proactive steps that we've done on our side to ensure that these sorts of things don't compromise not only our local development machines but also our CI environments. Um so there's lots of stuff you can read about out there. There's a couple things linked here in the GitHub issue as far as how this all happened. The post modem the postmortem update. If you're interested in any of that, please uh take a step to read that. But educate yourself on this one. It's a really important one. You don't want to get caught out by not having done what you should have uh to make sure that you weren't one of those affected. So, take a couple minutes, do that. Hate again, hate to start out the news portion with that one, but there you have it. I don't know how to pronounce this one. I'm going to go ahead and just call it Phantom, but it's spelled PHP Antom, which is a fast PHP language server built in Rust. It is a PHP language server protocol implementation that is written in Rust, built around fast startup, and low memory use on a project with 21,000 PHP files and one and a half million lines of code. It is ready in less than 1 second, and consumes just 59 MGB of RAM. It communicates over standard in and out using the standard LSP protocol and works with any LSP supporting editor. Jet Brains PHP Storm STS are bundled directly into the binary. So there is no runtime download or cache to manage. Uh Phantom resolves types across generics, PHP stand annotations, conditional return types, and array/object shapes. It will handle template and template coariant tags. So a generic collection class produces correctly typed completions at each call site. Laravel eloquent is supported without any external plug-in. So relationships, accesses, and model properties are resolved for completion and go to definition. Phantom also includes code actions for renaming symbols across the workspace and changing method visibility. And the REDM's feature comparison table lists additional refactoring actions including extracting methods and functions, lines and variables, constructor parameter promotion, and implements interface methods. Though support may vary by editor and PHP version. It will also detect deprecated symbols and flags them in line and includes an expression simplification code action. There are pre-built binaries for Linux, Mac OS, and Windows available from the release page, and you place the binary somewhere into your path and then configure editor. Neoim will take a server entry in your LSP config. Uh there is a generic LSP client extension for VS Code. There's an extension included for zed and you can install the LSP for J plugin in PHP Storm and then configure and get things going. You can you can even generate a default config file using the phantom lsp binary itself. Uh Paul Paul found this one. I have been using it. I find it to be certainly a lot. I mean intellense has been a mainstay for uh you know VS Code and Neov users for a long time um and and has been very solid. There is definitely some gaps in in what this does implement in terms of functionality, but there is a a matrix on the readme for the project that goes through all of that. And I've I found it, you know, for the for the 99% use case of the things that I'm doing dayto-day, it's uh it's pretty robust. And not having like a runaway Intellense process consuming all of my computers resources is extremely desirable. So check it out if you are still writing code in an editor. Nice. And if you are writing code in the editor that is called PHP Storm, you are in for some good news. PHP Storm 2020 2026.1 was released on April Fool's Day. uh and I don't actually know if it was released on April Fool's Day, but Eric Barnes, our fearless leader, released his blog post on April Fool's Day and has a about a 4minute video going through the different features that have been added to this release. So, if a video is more your thing than this podcast, go ahead and pause right now, jump over to the show notes, find this one, PHP Storm 2026.1 released, and watch Eric's video. However, if you are still tuned in, dear listener, let's talk about it. Laravel and PHP feature releases. This adds framework support for Laravel 13, Livewire, Filament along with new package support for Laravel Wayfinder. Okay, to be clear, this is not AI support for those things. This is PHP Storm support for those things. So, it understands the syntax. It understands the different conventions and things like that for those things. It's almost weird that you have to specify that now. But since everything is so heavily weighted towards the AI, it's not like no, this is not a skill thing. It's like it's just it understands the syntax and and understands like when you're in a level 13 project, it gets it okay. Eloquent method handling has been improved. Find usages is more accurate. There's a new route search UI for navigating application routes, which is really nice. Uh and then on the PHP side, generics have gotten better type inference for callable generic types. And there's also a new quick fix uh which can detect opportunities to use PHP 85's pipe operator which I cannot believe actually made it into the framework or sorry into PHP but it is there and so now um PHP storm with its amazing refactoring capabilities will say hey you know you could use a pipe operator here and that it will offer to convert that code for you automatically. Okay. Now on to the AI side of things. MCP server and agent support. So PHP Storm's built-in MCP server now exposes things like inspections, quick fixes, IDE search, and IDE actions to thirdparty agents like Claude Code or Windsurf. So they can know, oh, these are tools that are available for me to use because you're using PHP Storm as your IDE. So Claude can then grab a hold of that and use those MCP endpoints. There's also Malaravel idea MCP server integration if you happen to be using that. Um, okay. Next edit suggestions provide AI powered related changes across a file without consuming your AI quota. I'll let you take a look into that one. Jetrains also has this thing called Juny CLI which is sort of like a bring your own key coding agent. So it's LLM agnostic. It doesn't care which one you happen to be using. You could use Bcodeex, you could be clawed, you could be using whatever, any of the one you want. Bring your key and the Juny CLI is available for you to use right there inside of PHP Storm. Um, there's a couple of testing and debugging things. I'm going to skip that project indexing optimization. If you hate opening a new project and it taking forever on the indexing side of things, uh, it has been much improved. It is cached. It has user uploaded content and excludes directories from p project indexing that it recognizes. Nope, these are uploads don't need to don't need to index this stuff. It's probably not going to be referenced very very often. Okay, here's the big one. Ready? Git work trees now have first class support. We were just talking about this. So you can now work on multiple branches in parallel without switching. Get work trees. Super nice. I'm stoked to install this. And check this out. Uh there's inter terminal completion for git docker kubernetes custom scripts. Uh a couple other little things blah blah blah not going to worry about those. The big one is get work trees and then there's this also this odd side note code with me which I never actually got to work really well. Uh which was sort of this idea that like if you and one of your co-workers are using PHP storm you can do this like interactive environment terminal environment thing where you can both see each other sort of navigating. It's like, you know, pair programming like in the editor. I don't know. Great idea. I I kind of feel like it never really took off. They're sunsetting this after this release. So, it's not going to be available really anymore as part of the main thing. It's going to be a marketplace plugin. So, there you have it. That's all the details. If you'd like to find out more information about that, they have a release announcement as well up on their own blog at blog.jetbrains.com. How? That's how I'm going to say it. I haven't heard how Nuno says it, but POW is an agent optimized output for PHP testing tools. It is a new project dev tool from Nuno Madura that detects when your tests are running inside an AI agent, whether that's Claude Code or Curso or Devon or Gemini CLI, and replaces the normal testr runner output with compact JSON. The result is a fraction of the token count with no change to how you run your test. This hooks into PHP's autoloader and once installed, it automatically detects AI agent environments and switches from the test runner's default human readable output to a minimal JSON format. The benchmarks from a 1,000 test suite 1,00 test test suite show a significant difference. Without PAL, PHP unit consumes approximately 336 tokens. With pest, 10,123 tokens and pest running in parallel 11,125 tokens. But with PAL, each of those three scenarios, PHPUnit, pest, and pest in parallel, all consume just 20 tokens, which is a reduction of up to 99.8% of token usage. Beyond the per run savings, the bigger benefit in longer agentic sessions is context window preservation. Test output that would otherwise accumulate over dozens of runs no longer competes with code and conversation history. PAL works with PHPUnit 12 and 13 pest version four and five. Is pest 5 out? Did we miss that? Is that coming soon? I don't remember 5. Yeah, I have not seen that. And power test. This is not Laravel specific. Any PHP project using one of those runners including Laral, Symphfony, Laminus, and vanilla PHP gets the same behavior. It does require PHP 8.3 or higher, but there is no config file service provider or additional setup and activation happens through composers auto loader automatically. The package at the moment is a work in progress and under active development. But you know for a 11,15 token reduction when you are running your tests in parallel using pest I think it's worth a try. Thanks Nuno. Very cool. Um yeah I'm curious about that one. So it seems like that's a per project thing right? It's not like I can just install that locally and say for every time that you're doing any of these tests on any of these repos if you're using a gentic sort of thing then reduce it. No, it's more like a per project sort of situation there. So, um, yeah, it does seem that way. I'm curious if Laravel doesn't eventually accept this as sort of like a default thing that would pull into the framework. I think it'd be kind of cool. Um, h I don't know. See, why not? Because it's it's it's fairly transparent because it's just hooking into the autoload process and and injecting itself when it needs to. It's basically a totally a a test output formatter by the look of things. Yeah. Like if you're running if you're running your own tests locally, it's not going to mess that up. It's going to continue to give you a human readable output. No big deal. But if your agent is running and saying, "Hey, I'm going to run the tests real quick." It will it will um you know, preserve the context window and and reduce the number of tokens that are being used there. Okay, I think we all understand. But yeah, I'm curious if they it's just annoying to have one more package to install. Right. Every time I hear this, it's like, yeah, I've got a bunch of repos I have to go install that on now. is like if I just knew that like I'm upgrading to Laravel 13 and it's just included that'd be awesome. We'll see. Put in your global composer. Yeah, maybe. Yeah, I wonder. I don't know. That's a good It's maybe. Who knows? Who knows? Who knows? Who knows? That's who knows. Yeah. Who knows? Who knows? Also, I I have to say that Nuno really outdid himself with his YouTube uh cover image for this one. He's really embraced the uh He persona he has contorted that face to just be like I want to get the most you know people be like what is he doing? Yeah that's that's Nuno for you there. Okay let's talk about Laravel cloud shall we? There is now a new Laravel cloud CLI uh which is going to give you a streamlined way to deploy and manage your applications directly from the terminal. So this was built with Laravel zero which has been around for forever actually uh which is basically just a little mini framework that allows you to build great CLI based like yeah 2 based tools I I suppose right uh so it's a familiar command line experience for handling common cloud tasks without needing to switch to the browser so what are some of those common cloud tasks you might ask I'm glad you asked here are some of them application and environment management guided deployments ments with cloud ship. So it'll walk you through a set of prompts standard deployments via cloud deploy repository configuration with cloud repo config database and cache management domain and infrastructure controls remote command execution. So if you wanted to this is actually something I needed with forge uh recently um but remote code command execution where you can say I want you to run this command on this cloud site. Go do it. It will do it for you. JSON output. support for scripting and automation. So after authenticating with their very simple cloud off command, you can link your local repository to a cloud application and then avoid repeatedly passing app and environment options back and forth. So really this is built for like your automation and daily workflows. Uh many commands will support a JSON flag making this useful for scripting workflows, automation whenever you're deploying like or whether you're deploying updates, commands, inspecting environments. uh it's going to fit into your developer workflow. So they have a list of some example commands here. Again, Mr. Eric Barnes has a uh quick video where he says from zero to deployed in 5 minutes using only the Laravel cloud CLI. Really cool stuff. Go check that one out. Matt Stala joins the PHP Foundation board. Matt has always got a lot on his plate. He runs Titan. He's an open source contributor and he wrote Laravel up and running. Now he can add one more thing to that list and that is board member of the PHP Foundation. Uh he did get together with our fearless leader Eric Barnes to talk about what the foundation actually does, what this means for Laravel and why he thinks this is a turning point for PHP's reputation. This all started with a job listing. The PHP Foundation was looking for a new executive director and a friend forwarded to Matt half jokingly. the role is full-time and Matt obviously already has a full-time job and he laughed it off at first but the idea just kept nagging at him so he ended up applying anyway being upfront that he couldn't take it on full-time and it didn't work out for the role itself but through the process the foundation heard his vision for the community and asked if he'd be willing to join the board instead and of course he said yes. Um, so I won't go into too much more detail because there's quite a bit to the the post and also to the the video or the conversation, but he talks about what the PHP Foundation actually does, what this means for us as a Laravel community, and also how you can help. So, we'll have links to all of that for you in the show notes. Congrats to Matt and uh hopefully we'll see some good things. I mean, I don't know what good things are in the context, but I I hope to see something come of this, you know, in the coming 12 months or so or however long the appointment is. Absolutely. Matt Stuffer, all of our hero. You know, you and I knew Matt. I mean, when we were first kind of getting started, I think both of us worked with him on like some open source projects. I think you worked on Confluence with him. I think it's not Confluence. It was something else. Confomo. Thanks. Confomo like conference. FOMO. Confomo. and I worked on git log I think is what it was which was like a blogging platform that uses used git gist or github gists. Um, yeah. So, um, Matt Staler has just been a, uh, like 10x developer, right? I think that's what they call it, right? Those guys who just never seem to hit the top of their capacity. They just keep going. And so, stoked for him, stoked for us. It's going to be great. Um, Michael, do you happen to know who Jason Alexander is? Jason? I didn't. Didn't you? So, no, I I did not. Do you know who that is? Don't tell me. That would make that would that would make George very upset. Okay. Okay, so you do know. All right, so if there are any Seinfeld fans out there, you probably do know who Jason Alexander is. I did not. However, um I knew it had to do with Seinfeld because the sort of like cover image logo for this package we're going to talk about, which is called Jason Alexander, but it's not JS O, it's Jso N. JSON Alexander. Um, they have like George's face, George Castanza, right? So, Jason Alexander was the actor who played George Castan Castanza on Seinfeld. Not a Seinfeld guy, so sorry for those of you who are. Anyway, here's the idea. This is a more trustworthy way to view JSON in the browser. So if you work with APIs on a semi-regular basis, you know that you are spending time in the browser opening raw JSON responses and Chrome, Edge, whatever, they offer some like basic formatting tools, but it's still not a great experience. It's limited and if you want like a clean interface and control at all over how that data is being displayed, you're sort of out of luck. So another person who was a 10x developer who has never found their ceiling, Mr. West Boss has released JSON Alexander, which is a lightweight browser extension designed to make browsing JSON files easier and more pleasant. So, there was some concerns raised about another popular JSON formatter extension that had recently started injecting like geoloccation tracking. I think it was purchased or something like that. And so, this popular one that had been used, it kind of fell off the rails. And so, he's like, you know what? rather than continue to rely on this other thing. I'm just going to build an alternative that we can use to just if you can trust this thing, you can inspect it all you want, install it yourself, totally fine. So, as you might imagine, it provides a cleaner JSON viewing experience, a much nicer way to work directly with JSON in the browser. Um, instead of looking at a wall of unformatted data, you get tree view, formatted view, raw view, and it all happens right there in your browser with the extension. There's a couple different ways to install it. You can um it it's not yet available through the Chrome web store, although it has been submitted for approval. You can clone it and then you can basically load it into Edge or Chrome as an unpacked extension. It is not difficult to do. It's very simple, very straightforward. Um go look at the blog post. Super simple. And as what we said before, Wes is a friend of the Laravel community. He's been to multiple events. He's spoken at them. So, uh, definitely a guy you can trust and would love to see some love thrown towards this project. I do want to give a quick shout out to another tool that I've used, which is not a Chrome extension, but it is called JSON Hero. Oh my word, JSON Hero is absolutely incredible. Now, I've never used Jason Alexander, so I can't speak to like the comparisons, but JSON Hero is very, very good for dealing with large complex sets of JSON data. I would highly suggest giving it a look if you have to deal with large complex sets of JSON data. It is well worth your time. Okay, on to you, Michael. Laracon US is returning this summer, bringing the Laravel community together for two days of talks, announcements, and networking. The 2026 event will take place in Boston, Massachusetts with tickets now officially available. The conference itself will be held on the 28th and 29th of July at the SOA power station in Boston, Massachusetts. And the 2-day conference is the flagship Laravel event in the United States and typically features keynote announcements, technical talks, and community gatherings. The announced speakers so far, incredible speakers by the way, familiar faces from across the Laravel ecosystem and beyond. Taylor well Aaron Francis although I think he's MCing and he's very specifically said he didn't want to give a talk this year so Aaron Aaron taking up the MC duties always great to watch him watch watch him present Nuno Maduro Thorston B Chris Fidal Kenty Dods and Will King returning Chris hasn't spoken since that fateful hexagonal architecture talk in I don't know it was the first Laracon it was Lar New York second one the second Yeah, that was where I first met David Hempill and uh Matthew Machuga. Matt Machuga, good dude. Yeah, but Chris was there and yeah, the hexagonal architecture one. I was like, I think I'm in the wrong spot. I was like, I don't it didn't Yeah, it didn't quite land for me. He he references. It's possible Chris was in the wrong spot at the time. Yeah, it's fine. It's fine. We love him anyway. All right. Laracon US typically includes keynote announcements from the Laravel team, deep technical talks from community members, networking with Laravel developers and teams, community events and after hours meetups, and early looks at new Laravel features and tooling. Tickets are available right now. The conference runs from the morning of the 28th through to the 29th of July, and demand is expected to be high based on previous years. If you're planning to attend, it is worth grabbing tickets early and booking accommodation in Boston while availability is still good. I saw overnight Dave Hicking mentioned that they've picked up a couple new hotels um the Moxy Hotel and the AC Hotel in Boston which are both uh Marriott properties um and they have arranged for some uh discounts there as well. So check those out if you haven't yet booked your accommodation Jake and uh we'll I will be there from Sunday evening until Friday. If you want to know where I'm staying, you can you can message me. I'm not going to tell the whole listenership at once. Uh but I will see you. I will see you. I'll see you there. I will see you there as well. Yeah. In uh in July. Should be wonderful. Folks, uh Michael has very generously taken some time to build a little AI bot that sort of puts together our show notes for us, which is amazing. It saves a lot of time. However, sometimes it gets things a little bit wonky, and this happens to be one of those cases where we have Laravel 13.4, 4 which made it into the news section and not into the packages section. So we're going to cover level 13.4 right now. So what is new? There is a form request strict mode which will reject any input field that is not explicitly declared inside of your rules method. These Laravel form requests have always validated the content of known fields but they've just silently ignored any of those fields that were undeclared. So a client could send fields like is admin or roll alongside those leg legitimate requests. And if you happen to be using something like request all down the line somewhere and if you al also happen to be using guarded with a blank array, you could have these mass injection vulnerabilities where just not be good. Right? So with this uh you can basically say fail on any unknown fields and that's something you can just put in to your app service provider. You can enable that globally or you can be really precise and surgical about it. You can opt in per request class with the new fail on unknown fields attribute. So in your form request, you just put that attribute right above the class declaration there. And with that strict mode enabled, it will fail validation if they send anything else other than the fields that they were supposed to send that are declared inside of the rules uh object. It's it's the rules method but with the array that it returns. Individual request classes can opt out of that global um configuration change by setting the attribute of that fail on unknown fields to false. U so there you have that Q job inspection methods. There's three new methods on the Q facade that let you inspect jobs by state. So there's Q pending jobs, Q delayed jobs, and Q reserved jobs. So just like they sound, pending jobs are jobs that are waiting to be processed. they're sitting in the queue. Delayed jobs are jobs that are not just sitting in the queue, but they actually have a delay, meaning that the available at time stamp has been pushed towards the future and they have been intentionally delayed. They're waiting for that delay to expire so that they can be dispatched to the queue. And then you have reserve jobs, which are jobs that are currently being worked by a worker. So, they've been picked up and they are currently in process. Each one of those calls on the queue will return a collection of an inspected uh a collection of inspected job instances. They'll have these attributes. Uu ID, name, attempts, and then created app properties as well. Uh this is supported on the database and Redsq drivers. Other drivers return empty collections just to make sure nothing breaks there. if you happen to be in an environment like you're testing or your local where you might be trying to call those things but it's just you know you don't want it to give you a um method not found sort of situation. Okay, delay attribute support across dispatchers. So this new delay attribute introduced in version 13.3 now works across all dispatchers. Previously it was only wired into the event dispatcher. uh the bus dispatcher read the that's not correctly but the bus dispatcher uh read the delay property directly which was ignoring the attribute and so uh that is now supported across all those dispatches. Carbon overflow option. Okay, this is an interesting one I'm worth I'm interested in talking about here. A new overflow option has been added to Carbon's plus and minus methods which will give you control over how date arithmetic handles month end boundaries. Um here's a couple examples. So if you were to say carbon parse 2026131 meaning the first sorry the last day of the month in January and then you add a month. You would think um that would give me the end of February. At least most people when you're writing code and you're not thinking about the fact that January has more days than February. If you add a month you would just think oh it's going to go to the end of the month of the next month. Except for it doesn't. it overflows the next month and actually get gets you to uh March 3rd if you add month at the end of the January calendar there a calendar month that is not typically the expected behavior. So what you can do now is you can say um carbon arrow plus and then say the number of months as these are these are named arguments and then overflow false. So, when you say overflow false, that basically says do not do that behavior. Uh, just stick with moving to the next month. This is something we've talked about a number of times over the years that has just bitten us too many times to tell. And it usually shows up in the end of February or in the end of January where you're running automated testing and all of a sudden you have this flaky test. Where did that come from? And it's this is what it is. There are other ways to do this. Um, add month no overflow is an actual named method. Submon no overflow is a named method. There are other ones like that. Um, but definitely would suggest using this unless you're interested in having flaky tests or getting caught out by some weird date math. So check that one out. That is Laravel 13.4. Laravel Cloud has added a new path blocking feature designed to keep hibernated applications from waking up because of unwanted bot traffic. If you have an app in hibernation, random requests for from bots probing common paths like wpadmin.php orenv can cause the app to wake up unnecessarily. That means extra wake events from your traffic uh from traffic your server never wanted in the first place. With path blocking enabled, Laravel cloud can ignore those requests entirely so they do not trigger wakeups uh events or unnecessary activity. And this is now enabled by default for all new applications on Laravel Cloud. So if you've got environments already spun up like I do, I've just gone and turned this feature on. This matters because bots will constantly scan the web looking for common admin URLs, config files, and sensitive endpoints. And even if your Laravel app is not serving those paths, the request itself can still wake a hibernated app. The new setting acts like a filter in front of those requests so your app stays asleep unless it receives traffic that actually matters. And like hibernation or not, it's good to stop that traffic from coming to your application, which is just going to serve up a four four anyway. So you can go to uh from within an environment, go to settings, network edge, network settings, settings, configure firewall path blocking. Look, you probably don't catch that, but we'll have a link to the instructions for you in the show notes. And Eric is wearing I don't know what you call that hat, but he's wearing a winter hat in his screenshot. And uh well, you'll see it when you go and look at the article. Looks like it's made out of like a beaver pelt, right? It's like it's just like this big furry fuzzy hat with like the floppy ears on it and everything. It's I don't know. It's um looks very uh Yeah, it's It suits him though. It goes with the beard. It does. Yep. Yep. I agree. Laravel starter kits have now shipped with toast notifications. So you can think about like where would this end up getting used? Profile updates, password changes, email verification, those sorts of things with these starter kits. Those are common things that needs to happen. The settings controllers now flash these toasts. Uh instead of relying on session status messages or livewire event dispatches, um you can add your own with inertia. Flash or flux do flash toast for livewire. U these different stacks will use sonner a port of sonner uh for react for views for spvelt and livewire uses flux of course but it's just baked in now all all of them include it uh these inline these previous inline messages now look the same across every stack this was contributed by Wendell Adriel thanks so much for pushing that one out great work last bit of news today is this news this looks like a package. What is going on? No, it's news. We're calling it news. Uh, drop in comments for filament with commentions. That's a good name. Building commenting systems. Commentions. Like comments and mentions. Portmanto. Uh, building commenting systems. Hold on. Hold on. Hold on. You can't just get away with that. A what? It's a what? You've never heard this. Portman. That's what it's called. Spell it. When you take two words. I don't know how to spell it. P O R T M A N T E A U. A port manto is a literary and linguistic device where two or more words are joined together dropping some letters to create a new word that combines their meanings. I will never forget that word now. Porto. Okay. I I love that. I didn't know that that I didn't know that that had a name. That's very good. Um do you know what a snafu is? Do you know what a snafu is? Yeah, that is a military thing. My dad is in the army and I we know we know snafu. We like snafu. I've I was told today that I use that word a lot. And then I literally somebody like somebody told me that today. Um there was another one. Oh, spoonerism. Do you know what a spoonerism is? I've heard the word but I couldn't tell you off the top of my head what it is. I think it's I think it's when you like switch the letters of two words like a verbal initial sounds vows or more themes of two or more words are accidentally swapped creating oh yeah okay I do this allow the allowable sound fast instead of the alarm will sound the allowable sound like yeah it's just yeah it's it's when you switch the first okay uh spoonerism and port manto okay port I gota have to look that up anyway sorry yes commentions Please continue. Building commenting systems from scratch is one of those features that sounds simple until you actually start implementing it. You need comment models, user mentions, reactions, permissions, real-time updates, and a clean UI that fits your admin panel. And what starts as quote unquote just add comments quickly becomes a complex feature that takes weeks to build properly. If you are using filament for your admin panel, you already know the incredible power of the framework. Filament has revolutionized Laravel development by providing beautiful full stack components that accelerate development while maintaining the elegance and flexibility Laravel developers love. Uh so with conventions fully compatible with both filament version 3 and the cutting edge v4 release, you can extend that same elegance to your commenting systems. And uh Louie, who works over at um what's the name of the company? Kersbomb is uh put together. I mean this this is filed under news and I'm going to call it news but it goes into a great depth of detail about the package itself. Um getting started multiple ways to add comments to handle info lists and table actions and header actions and smart mentions and all sorts of different things. We'll have a link to this great lengthy juicy post in the show notes for you. Very nice. Okay. If you have ever needed to log user activity, you've probably come across this spy package called Laravel activity log. This has been around for a long time. We are now celebrating the release of version five. So this ships with with PHP 8.4 and Laravel 12 as minimum requirements. So it's removing a couple legacy features. It's modernizing the API. Let's talk about a couple of the main ones. There is an H there is a has activity trait that now combines the previously separate two things of logs activity and causes activity. Uh it merges them into one. So adding this trait to your model allows you to be able to um both trigger logged events as a subject and also be associated as the causer of activity on other models. So those individual traits still remain available if you need them separately, but there is now this has activity trait which sort of bundles them together. This is the next feature or the next feature is the one that I'm most excited about. So you can think if you're logging user activity, there's probably a lot of it that you're logging. So by default, every logged activity will fire an immediate immediate insert statement. But if your application is logging a lot of activities in a single request, for example, like during batch model updates, those things can add up really quickly. So this new buffering feature will collect all those activities and memory and then it will flush them all in a single bulk insert after that response is set. So it's very simple to enable. All you have to do is in your env set activity log buffer enabled to true or you can set it directly in the config in the activity log.php file buffer enabled true. That's it. No other code changes are required so that both automatic model event logging and manual activity log calls will be buffered automatically. There are a couple caveats here to keep in mind. You don't get an ID for any of those activity logs until those buffered activities are flushed. Um it is compatible with Octane. So it's uh it's it will work with that. And then it also is Q compatible. So for those of us who are using the Q to do these inserts, the buffer will be flushed after each job completes or fails. So activities logged inside jobs are bulk inserted when the job finishes. Um there's also this idea of a default causer. So you don't have to associate a causer every time. A lot of times as we're talking about that's the user. So you can just say this is the default causer is the user. And then lastly, model change tracking now uses a dedicated attribute changes database column. instead of storing changes inside of this general purpose properties JSON column on the activity log table which it was doing before it now has this attribute changes database column. So um there you have that there are a couple small breaking changes so read up on that if you're going to be upgrading but of course they have their upgrade guide which will outline all of that for you as well. Uh, managing software licenses in Laravel with Laravel licensing. This package by Luca Longo brings enterprisegrade license management directly into your Laravel application and handles seatbased license enforcement, offline verification via cryptographically signed tokens and full audit logging. Everything you need if you're distributing commercial software built on Laravel. Main features include offline verification, seatbased limits, license scopes, grace periods, renewals and expiration, audit logging, and flexible assignment. You can use the package once installed by publishing the config and running migrations. Then generate a root certificate and at least one signing key before issuing licenses and then you can create a license using a familiar eloquent syntax license docreate with key and off you go. And then you can register devices against licenses. Register devices against licenses by passing a device fingerprint hash and setting a name on it as well. You can issue offline verification tokens. Check the license status and more. There are two companion packages that go alongside it. This is a h licensing client which validates licenses against the server and handles offline token verification on the client side. So if you're distributing packages and and applications in that way, uh probably going to become more common with things like native PHP now as well. It also gives you a filament admin panel for managing licenses, monitoring seat usage, and rotating signing keys. We have links to all of that for you in the show notes. Very good. This next one is a bit specific, I will tell you. Um, if you need to build out a visual flowchart in an application and you happen to be using Alpine or LiveWire, TuneIn, this is called Artisan Flow. So, there's actually two parts to this, but it's a flowchart engine for Laravel and AlpineJS. So it's um nodebased flowchart UIs and you have Alpine flow which is sort of the core front-end engine. It's built on Alpine.js. If you want to just use that great, no problem. But then secondarily you have Wireflow which is a Laravel companion that will wrap those pieces in blade components and a live wire trait. So you can just uh use them as blade components rather than having to use Alpine by itself. So rather than render functions or JSX, you can build these flows really easily using Xflow Alpine directives or with wire flow. Okay, here are some of the key features. Um, it's directive uh driven, so it's it's very simple to write. Uh, it's feels very familiar if you're using LiveWire uh and you're used to that sort of syntax. It's got an animation engine, so you can see things like timelines, particles, path motion, camera tracking, all in a single animation loop. And in order to describe this, it's it's sort of better to just go see an example of it, how it works. So you have like a node and then you have along this edge, you have like this little particle flowing from one thing to the next. Um, it's got deep nesting, zero gs, js livewire integration, uh, smart edge routing, AI ready docs. Okay, so this go this is almost more of a tutorial uh than just an announcement of a package. I would say that if you went to sort of the landing page, you're going to be able to see relatively quickly if this is something that you might be able to utilize. As I stated, it's it's quite specific. If you've never thought to yourself, hm, I really need to render a flowchart here, you probably don't need this. However, if you are in that camp and you know the pain of trying to figure out how to render a flowchart u especially a good-looking one and do so programmatically, this is this is a package for you. So you can think of the syntax looking almost like mermaidjsesque. So if you've ever written a mermaidjs flowchart feels similar to that, but if you were to take it and make it like PHP array syntax, that's what it feels like. And so it does look really nice when you're done. And again, it is simple and sort of integrates with your existing uh frameworks and the things that you're working with with Alpine and with LiveWire and all that stuff. Um, it renders this onto a canvas. You get sort of things like zoom in, zoom out. It can lock to a certain position. You can drag around the canvas. All sorts of good stuff. Um, really interesting package here. And again, solves a very specific niche need. If this is something you are interested in or you've had to do yourself before, you should definitely check that one out. Thank you to Zach, see the last name, Zack Hiler, uh, who created that one. Really, really cool stuff. Laravel QuickBooks MCP server by Raju Rahan is a Laravel package that exposes QuickBooks online as an MPC MCP server over HTTP transport. It provides 50 MCP tools across 11 QuickBooks online entities, including customers, vendors, invoices, bills, and estimates, letting AI AI agents perform full CRUD operations on your books. The package requires PHP 8.2 and above, Laravel 11 and above, and uses the Laravel MCP for the protocol layer and the Spinen Spin Laravel QuickBooks client for QuickBooks API access. It provides automatic name to ID resolution, multi-tenant isolation, has a built-in oorth flow, entity aware delete behavior, very quick and easy to get up and running. This is something that is of interest to you. Check out the uh package for you in the Hey, uh I think we've all probably used PHP info before. So, you just kind of make a new page and then at the top you write, you know, bracket question mark PHP. The first line is PHP info pen pen end. That's it. That's what you write. And what that does is it spits out all the configuration and all the locations that you need to know about for the specific version of PHP that you're running for that specific application. PHP, sorry, pretty info is a replacement for that, like a modern replacement for that PHP info. Um, because the default one really doesn't actually look that great. The good news is it's just as simple as the other one. So instead of PHP info, you just write pretty PHP info. That's it. You drop that in and it swaps out the default output for this dark mode ready page with searchability. So instant search um click to copy values. You can pass info constants to uh the same same ones that you could have passed to PHP info before to just filter out these are the only sections I'm interested in seeing. So there's like the modules section or the general section. And so you can just pass that to pretty php info and say I'm really only interested in seeing these specific modules which is pretty cool. Querying PHP configuration programmatically is also something you can do now. So what you can do is say info capture and then you can say I'm interested in the version that I'm running. If I'm interested in knowing if I have this particular module enabled I want to know these config values. I want to know the OS. I want to know the host name. And then once you do that then you can query that info object to see the values that you pulled out of that PHP ini. Now the cool part about this is that it has the capacity the capability I should say to fetch both the local config value that's like the effective value as well as the master PHP INI value because the master PHP INI value can be overwritten by sub applications I guess you know what I mean other INI essentially and so you can sort of get both of them. You can say I want to know the actual top level one or I want to know the local one. This was something that wasn't really easy to know before like am I overwriting this and that's why like it's like this or is this the actual global value? So you have to go dig into it and go find it. Where is the actual main one? Where's the one that this one is reading? All that stuff. And so uh this does make it quite a bit easier. There's a couple other things you can do. Iterating over configuration uh as well as instructions on how to install it. There's also the ability to be able to kick these straight out to HTML, to text, uh, or maybe some other items there. So, enough said on that one. Uh, pretty cool. And if you've ever needed to do more than just see the PHP info page itself, definitely check this one out. Passage is a lightweight API proxy gateway for Laravel created by Morrison Chavez that lets your app sit between a client and an external API forwarding requests and responses while keeping full control over authentication headers and payload transformation all through familiar Laravel routing and middleware. The typical use case is when you need to call a third party API from your front end, but don't want to expose API keys, need to normalize payloads, or want to enforce validation and or logic in one place. Instead of building a custom proxy from scratch, passage gives you a structured way to do it with minimal boiler pl almost made it with minimal boiler plate. Routes are registered using the passage facade right alongside your regular routes and a wild card captures any subpath and forwards it upstream. Each route then points to a handler class that controls how requests are forwarded and responses are returned. And then and then the passage will ship with three authentication traits you can use inside whether that is a bearer token and API key or HMAC signing. Passage automatically strips sensitive client headers, cookies, authorization, proxy authorization before forwarding requests upstream. And handlers can validate incoming requests before they ever reach the upstream service by implementing a validates inbound request interface. Define Laravel validation rules in a rules method and any failures return a 422 with no upstream calls made. And for resilience, there is a withry method that adds automatic retry with exponential backoff. Passage also supports response cing for get and head routes and streaming responses for large payloads. Uh this is very interesting to sit kind of in between all of your things and handle keeping um especially from the from the security perspective as well keeping all of those kinds of things out of places you know putting that layer in there. So definitely worth a deeper look. Thanks to Yanick for running that up. We are at 1 hour Jake. I'm just going to quickly hit the four tutorials before we I was going to say real quick. So sorry. Um I forgot to shout out Joseph Sizzlebody of Signature Tech Studio that wrote that PHP info replacement that pretty PHP info. He did a great job. So sorry I forgot to mention that. Joseph, thank you for that. Great work on that. Very good. Uh four tutorials this week. I'm going to hit them uh at a high level. There is three of them. AI related. First up is building an AI chat agent with Laravel 12, MongoDB, Atlas, Vector Search, and the Voyage AI. Um, next up, we've got two episodes of Harris Rafolis's ship AI with Laravel. First up is Smart Ticket Triage with structured output. And secondly, we've got stop your AI agent from guessing. Uh, these are video tutorials. And lastly, making Laravel MongoDB operations item potent safe retries for financial transactions. Uh, that one's by Arthur Rivero. That is all we have for this week's very long show. It was indeed, but it was a good one. Thanks so much for making it all the way to the end if you did. Episode 256. You can find a show notes for this one at podcast.larvel-news.com256. Write us up in your podcaster of choice. Five stars would be amazing. And if you have any questions, of course, you can reach us on x.com at Michael Dinda, Jacob Bennett, or Laravel News. Folks, until next time, it's been a pleasure. We will see you out.