Hi everyone,
Laravel 13 is finally here. It drops support for PHP 8.2 and now requires PHP 8.3 or higher. If you want to read a bout the new features on this release head on to the News section. We also have the latest bug fix releases for PHP 8.5.4 & PHP 8.4.19. In Tutorials this week we have guides for Detecting and Fixing Race Conditions in Laravel Applications, Hunting Down File Inclusions, and a beginners guide to Upload Files in PHP. In Podcasts we have new episodes from Laravel News, and this week the topics they cover are Blazing fast components, agent orchestration, and security scanning. No Compromises is also back and and they discuss how to tell the difference between tests that validate your logic and tests that merely exercise the framework. Finally in our Reading section we have articles on Mastering Symfony Scheduler, 2026 WordPress Optimization Checklist, and what happens when a Website Deployed but Nothing Changed.
We have all that and more, so we do hope you enjoy this week's newsletter. If you have an article, tutorial or podcast that you would like to be featured in our newsletter, feel free to reach out to us at [email protected].
All the best,
Adrian
|
Please help us by clicking to our sponsors:
Give Your Unused Startup a Second Chance
List your unfinished SaaS, app, or project for free. Sell it, find a co-founder, or let someone else bring it to life. No fees, no hassle - just new opportunities!
|
Articles
The Laravel Community Mobile App Helps You Discover Events and Connect With Developers
Laravel continues to grow with meetups, conferences, and community events happening all around the world. Keeping track of everything can be difficult as more local groups and regional events appear each year.
A GitHub Issue Title Compromised 4,000 Developer Machines
On February 17, 2026, someone published [email protected] to npm. The CLI binary was byte-identical to the previous version. For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled1.
Why Your Laravel App is "Heavy" (and How to Fix it in 5 Minutes)
We've all been there. You build a beautiful Laravel application, deploy it to production, and then... it happens. The page load feels like it's dragging through mud.
PHP 8.3 Typed Constants in Production
PHP 8.3 introduced typed class constants, one of those small features that has a disproportionately positive impact on code quality. I've been using them extensively in production at DailyWatch, and they've caught several bugs that would have otherwise reached production.
Laravel 13 Deep Dive: Every New Feature, Change with Code Example
The Laravel ecosystem is moving at lightning speed, and Laravel 13—scheduled for release on March 17, 2026—is shaping up to be one of the most refined updates yet.
Late Static Binding in PHP
Ever wondered how User::find(1) returns a User and not some generic model object? This is why.
|
Tutorials and Talks
Detecting and Fixing Race Conditions in Laravel Applications
Learn how to identify race conditions in your Laravel MongoDB applications and fix them using atomic operations, with a practical e-commerce checkout example that demonstrates why Eloquent's read-modify-write pattern fails under concurrent load.
LaraCopilot: Generate Laravel MVPs From a Single Prompt With AI
At Laracon EU, I sat down with the LaraCopilot team to talk about the project. The goal behind LaraCopilot is simple. Vishal and his team want to help developers turn an idea into a working Laravel MVP as quickly as possible using AI.
How to easily access private properties and methods in PHP
Sometimes you need to access a private property or method on an object that isn't yours. Maybe you're writing a test and need to assert some internal state.
Building a Video Search Autocomplete System
Search autocomplete improves user experience significantly. Here's how I built a fast, lightweight autocomplete system for TrendVidStream using PHP, SQLite FTS5, and vanilla JavaScript.
Building a 100% Passwordless Future: Passkeys in Symfony 7.4
In the modern web era, passwords are no longer sufficient. They are the root cause of over 80% of data breaches, subject to phishing, reuse and terrible complexity rules. The industry has spoken: Passkeys are the future.
Elvis (?:) vs Null Coalescing (??) in PHP: A Practical Guide for WordPress Developers
TL;DR ?? (Null Coalescing Operator) Only falls back if the variable is undefined or null.
Stop Relying on Bloated Themes: How to Build a Custom WordPress Theme from Scratch
I have been creating custom digital experiences since 2017, and if there is one skill that instantly separates intermediate WordPress developers from the pros, it is the ability to build a theme entirely from scratch.
How to Securely Store and Use API Keys in Laravel in 2026
In 2026, almost every Laravel project integrates 3–10 external APIs: OpenAI, Stripe, Telegram, AWS S3, Resend, Brevo, and so on. Yet most key leaks happen not because of sophisticated attacks, but due to silly mistakes: committing to git, logging them, sending them to the frontend, or calling env() in production after config:cache.
How I Solved Lazy Image Resizing Without Slowing Down the Page Load
The moment user-uploaded images need to appear in more than one place (a thumbnail grid, a product preview, a hero banner) you need multiple sizes. The standard approach generates all variants at upload time, but this slows uploads, wastes disk space on sizes that are never requested, and forces a full library reprocess whenever your layout changes.
How to Upload Files in PHP (Step-by-Step Guide for Beginners)
File uploading is essential in web development. Whether you are building a blog, CMS, or user management system, file upload functionality is often required.
Walkthrough: Hunting Down File Inclusions
In this project, I focus on discovering and remediating file inclusion vulnerabilities in a PHP script. These occur when the source code of an application includes files in a way that allows a potential attacker to manipulate input to read or execute unauthorized files on the hosting server. |
News and Announcements
PHP 8.5.4 & PHP 8.4.19 Released
The PHP development team announces the immediate availability of PHP 8.5.4 & PHP 8.4.19. This is a bug fix release. All PHP 8.5 & PHP8.4 users are encouraged to upgrade to this version.
Laravel 13 Released: PHP 8.3, Attributes, Laravel AI, and a Smoother Upgrade Path
Laravel 13 is now released. This release will require PHP 8.3 as the minimum version and will follow Laravel's standard support cycle with bug fixes through Q3 2027 and security updates through Q1 2028.
Laracon AU Returns to Brisbane - Call for Speakers Now Open
Laracon AU will return to Brisbane, Australia on November 4-6, 2026, bringing the Laravel community together once again.
Inertia v3 Upgrade Prompt and JSON Log Support in Laravel Boost v2.3.0
Laravel Boost v2.3.0 adds a guided Inertia v3 upgrade prompt, support for JSON-formatted log entries, and a fix for stdout corruption on PHP 8.4. This release also removes six Artisan wrapper MCP tools that are now better handled by direct CLI commands.
Model::withoutRelation() in Laravel 12.54.0
Laravel v12.54.0 adds Model::withoutRelation() for selectively unloading relations from a cloned model instance, introduces interval() on InteractsWithData for parsing duration inputs, and includes a composite index on the jobs table for improved queue polling performance.
March 9–15, 2026 - A Week of Symfony #1002
This week, the upcoming Symfony 8.1 version deprecated the erase credentials security feature, added a new MapRequestHeader attribute, introduced a deep cloner in the VarExporter component, and added support for defining custom functions in the JsonPath component.
|
Podcasts and Vlogs
Laravel News: Blazing fast components, agent orchestration, and security scanning
Jake and Michael discuss all the latest Laravel releases, tutorials, and happenings in the community.
The Stack Overflow: Keeping the lights on for open source
Ryan sits down with Chainguard CEO Dan Lorenc to chat about how his team is keeping the foundation of the internet—open source projects—alive by forking archived but widely-used repos to provide security maintenance and dependency upgrades.
No Compromises Podcast: Are you testing your app or just the framework?
In the latest episode of the No Compromises podcast, we discuss how to tell the difference between tests that validate your logic and tests that merely exercise the framework.
Maintainable Podcast: Joel Oliveira: Predictability Is a Maintainability Feature
In this episode of Maintainable, Robby Russell speaks with Joel Oliveira, Engineering Manager at ezCater, about what helps software remain understandable and adaptable as it evolves.
Software Engineering Radio: SE Radio 711: Scott Hanselman on AI-Assisted Development Tools
Scott Hanselman, the VP of Developer Community at Microsoft, speaks with host Jeremy Jung about AI-assisted coding. They start by considering how the tools are a progression from syntax highlighting and autocomplete.
Shoptalk Show: 706: Can You Vibe Code a Canvas App, Geolocation Part 2, & CodePen v2
Are we all going to vibe code our own bespoke apps now, can a canvas app be vibe coded, more geolocation API thoughts, CodePen v2's public beta is now out, and private pens explained.
WP Builds: 460 – Turning WordPress Blogs Into eBooks With Naweed Chougle
In this episode, Nathan Wrigley chats with Naweed Chougle about eBook Crafter, a WordPress plugin that lets users transform their blog posts into editable, customisable ebooks.
PHP Architect: The PHP Podcast 2026.03.12
Eric continued his saga with connectivity issues, dropping multiple times on Zoom calls and even during the podcast. After trying everything from coax cable converters to different network setups, he’s considering just running a new network cable to his office. The Wi-Fi experiment during the show… didn’t go great.
Syntax: Remote Coding Agents
Scott and Wes break down the world of remote coding agents — what they are, why you'd want one, and all the different ways you can run them, from Cursor Cloud and Claude Code to an old laptop sitting on your floor.
The Changelog: From Tailnet to platform
Adam talks with Tailscale co-founder and Chief Strategy Officer David Carney about where Tailscale is headed next: TSIDP, TSNet, multiple tailnets, and Aperture. They get into clickless auth (via TSIDP), TSNet apps, multiple tailnets for isolation and control, and Aperture, Tailscale’s private AI gateway for API key management, observability, and agent security.
|
|
I built an AI pipeline to give my partner her time back (and accidentally cured my engineering burnout).
After months of dealing with burnout, I let the "builder" in me go dormant. But recently, I found the perfect excuse to start building again: my partner's part-time job.
Hitting a 100 PageSpeed Score: The 2026 WordPress Optimization Checklist
If your WordPress site is lagging, you're losing visitors and revenue every second. Optimizing a WordPress website for speed is crucial for user experience, SEO, and conversion rates. Professional speed optimization requires more than just installing a caching plugin—it's about fine-tuning every layer of your stack.
Why I Built a Business Content Layer on Top of Laravel AI SDK
I tried laravel/ai when it came out. The SDK is well-designed — clean provider abstraction, good DX. But the moment I tried to use it for real business content generation, I ran into the same problem every time. There's no business layer.
Mastering Symfony Scheduler: from cron chaos to reliable jobs
If you’ve been running Symfony applications in production for a few years, you probably have at least one cron job that looks like this.
How my server became a “Cat & Mouse” game due to a Zero-Day vulnerability?
For a whole week, I fought a fierce technical battle against a recurring hack on one of my private servers. Every time I thought I secured it, the attacker returned with a new style.
Website Deployed but Nothing Changed
If you have built a website, you have likely encountered the specific frustration of deploying to the global network: you update a CSS style or patch a JavaScript bug, but the production site stubbornly serves the old version. Only your users see the “broken” state.
|
Interesting Projects, Tools and Libraries
shiny/json-logic-php
A modern, complete PHP implementation of JsonLogic. 601/601 official tests. Zero dependencies. PHP 8.1+.
crwlr/query-string
A library for convenient handling of query strings used in HTTP requests.
php-mime-mail-parser/php-mime-mail-parser
A fully tested email parser for PHP 8.0+ (mailparse extension wrapper).
oneup/flysystem-bundle
Integrates Flysystem filesystem abstraction library to your Symfony project.
ghostwriter/container
Provides an extensible Dependency Injection Service Container for Automated Object Composition, Interception, and Lifetime Management.
league/factory-muffin
The goal of this package is to enable the rapid creation of objects for the purpose of testing.
prestashop/decimal
Object-oriented wrapper/shim for BC Math PHP extension. Allows for arbitrary-precision math operations.
swissspidy/phpstan-no-private
PHPStan rules for detecting usage of pseudo-private functions, classes, and methods.
zenstruck/messenger-test
Assertions and helpers for testing your symfony/messenger queues.
willdurand/js-translation-bundle
A pretty nice way to expose your translation messages to your JavaScript.
|
Jobs
------
Do you have a position that you would like to fill? PHP Weekly is ideal for targeting developers and the cost is only $75/week for an advert. Please let me know if you are interested by emailing me at [email protected] |
Please help us by clicking to our sponsor:
 Protect your PHP Code
Why not try SourceGuardian 17. Click here to download a 14 Day Trial copy. Protect your code using Windows, Linux or Mac and run everywhere with our free Loaders. |
So, how did you like this issue?
|
|
|
|
