RepoJournal
Laravel

@laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Sun 10 may
  9. Mon 11 may
  10. Tue 12 may
  11. Wed 13 may
  12. Thu 14 may
  13. Fri 15 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

ECHO DEPENDENCY SECURITY BLITZ CLOSES SOCKET.IO VULNERABILITY

By RepoJournal · Filed · About Laravel

Laravel Echo shipped five critical dependency updates overnight, including a socket.io-parser patch that closes CVE-2026-33151 and hardens axios against prototype pollution attacks.

The socket.io-parser bump to 4.2.6 [1] fixes a known vulnerability that could affect real-time communication in production apps. That's the one that demands immediate attention. Running alongside it, axios upgraded to 1.15.2 [2] with prototype-pollution hardening for the Node HTTP adapter plus a Unix domain socket SSRF mitigation that closes a supply-chain attack vector. Flatted jumped to 3.4.2 [3] fixing CWE-1321, while minimatch's aggressive leap from 3.0.8 to 9.0.9 [4] brings major pattern-matching improvements. PostCSS landed at 8.5.14 [5] resolving custom syntax regressions. On the Moat side, the team shipped light theme support [6], improved naming conventions [7], and patched exit code handling [8], but these are polish work while Echo's security chain is tightening. This is a maintenance release that actually matters: your WebSocket layer is more secure, your HTTP client is hardened, and your CLI tools are more reliable.

Action items

References

  1. [1] Bump socket.io-parser from 4.2.4 to 4.2.6 ↗ laravel/echo
  2. [2] Bump axios from 1.15.0 to 1.15.2 ↗ laravel/echo
  3. [3] Bump flatted from 3.3.3 to 3.4.2 ↗ laravel/echo
  4. [4] Bump minimatch from 3.0.8 to 9.0.9 ↗ laravel/echo
  5. [5] Bump postcss from 8.5.8 to 8.5.14 ↗ laravel/echo
  6. [6] feat: light theme laravel/moat
  7. [7] feat: improves naming laravel/moat
  8. [8] fix: exit code laravel/moat

FAQ

What changed in Laravel on May 15, 2026?
Laravel Echo shipped five critical dependency updates overnight, including a socket.io-parser patch that closes CVE-2026-33151 and hardens axios against prototype pollution attacks.
What should Laravel teams do about it?
Upgrade laravel/echo to pull socket.io-parser 4.2.6 before next deploy • Review axios configuration if you use custom HTTP adapters • Test minimatch 9.x behavior in your build pipeline
Which Laravel repositories shipped on May 15, 2026?
laravel/echo, laravel/moat

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.