RepoJournal
Laravel

@laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Sun 10 may
  9. Mon 11 may
  10. Tue 12 may
  11. Wed 13 may
  12. Thu 14 may
  13. Fri 15 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

LARAVEL PLUGS GITHUB CREDENTIALS LEAK ACROSS INSTALLER AND CORE

By RepoJournal · Filed · About Laravel

Laravel is systematically removing exposed Composer OAuth tokens from GitHub Actions workflows in both the installer and framework, a security hygiene fix rolling through 13.x.

The framework team [1] [2] and installer [3] are stripping `github-oauth` credentials from Linux and Windows Actions to prevent accidental token exposure in logs and artifacts—a pattern that should have been locked down long ago but is being addressed now across all entry points. The framework also shipped support for `after_commit` hooks on Cloud queue metrics [4], letting you defer metric writes until transactions actually land, which matters if you're tracking queue performance against eventual consistency. Over in laravel/boost, the MCP JSON config handler now preserves empty objects instead of converting them to arrays [5] , fixing a schema validation failure that was breaking OpenCode startup when Boost installed its server entry. The same crew also cleaned up redundant `.env` read guidance [6] from the MCP docs, removing noise after earlier core-guideline refactoring. Infrastructure work across `.github` workflows is adding Ubuntu runners and reusable composition patterns [7] , likely to support the credential cleanup rollout and future CI standardization.

Action items

References

  1. [1] [13.x] Remove Composer `github-oauth` credentials on Linux & Windows Actions ↗ laravel/framework
  2. [2] [13.x] Remove Composer `github-oauth` credentials on Linux & Windows Actions (#60095) laravel/framework
  3. [3] Remove Composer `github-oauth` credentials on Linux & Windows Actions (#520) laravel/installer
  4. [4] [13.x] Add support for `after_commit` for Cloud queue metrics ↗ laravel/framework
  5. [5] Preserve empty objects in MCP JSON config files ↗ laravel/boost
  6. [6] Remove redundant guidance to read .env directly ↗ laravel/boost
  7. [7] Add Ubuntu runner for setup-composer workflow laravel/.github

FAQ

What changed in Laravel on May 13, 2026?
Laravel is systematically removing exposed Composer OAuth tokens from GitHub Actions workflows in both the installer and framework, a security hygiene fix rolling through 13.x.
What should Laravel teams do about it?
Review your GitHub Actions workflows for exposed Composer credentials — audit `composer config` outputs in logs • If using laravel/boost with MCP, upgrade to the latest commit with JSON object preservation • Monitor 13.x PRs landing — the credentials cleanup is live and rolling forward
Which Laravel repositories shipped on May 13, 2026?
laravel/framework, laravel/installer, laravel/boost, laravel/.github

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.