RepoJournal
Laravel

@laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Sun 10 may
  9. Mon 11 may
  10. Tue 12 may
  11. Wed 13 may
  12. Thu 14 may
  13. Fri 15 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

LARAVEL TIGHTENS GITHUB ACTIONS SECURITY ACROSS THE ECOSYSTEM

By RepoJournal · Filed · About Laravel

The framework team is systematically pinning all third-party GitHub Actions to specific commit SHAs and rolling out Dependabot configurations to keep them updated automatically.

Laravel, Pint, and Pao are all hardening their CI/CD pipelines in parallel [1] [2], a coordinated move that reduces the blast radius if a popular action gets compromised. Each repo is also dropping `GITHUB_TOKEN` credentials from runners after checkout and declaring explicit permissions at the workflow level, cutting the attack surface for supply chain exploits. Meanwhile, the framework itself is getting more surgical with its shipping: CloudFlare transport now properly sets `content_id` for inline attachments [3], MariaDB gained vector index support [4], and queue inspection now includes the full job payload for better debugging [5]. The docs are catching up with two new guides on `attachFromStorageDisk` for notifications [6] and the `ShouldBeDiscovered` attribute for auto-wiring events [7], so developers won't waste time digging through source code to figure out what they can do.

Action items

References

  1. [1] Pin GitHub Actions to commit SHAs and add Dependabot config ↗ laravel/pao
  2. [2] Pin GitHub Actions to commit SHAs and add Dependabot config ↗ laravel/pint
  3. [3] fix: Add content_id to inline attachment handling in CloudflareTransport ↗ laravel/framework
  4. [4] Added MariaDB vector index capability (#60334) laravel/framework
  5. [5] [13.x] Add payload to InspectedJob (#60326) laravel/framework
  6. [6] [13.x] Add `attachFromStorageDisk` to notifications (#11220) laravel/docs
  7. [7] [13.x] Document ShouldBeDiscovered (#11219) laravel/docs

FAQ

What changed in Laravel on June 1, 2026?
The framework team is systematically pinning all third-party GitHub Actions to specific commit SHAs and rolling out Dependabot configurations to keep them updated automatically.
What should Laravel teams do about it?
Review your GitHub Actions workflows - pin all third-party actions to commit SHAs and add Dependabot config before end of week • If you're using CloudFlare Mail Transport with inline images, update framework to pick up the content_id fix • Read the new docs on ShouldBeDiscovered and attachFromStorageDisk to understand what's available in 13.x
Which Laravel repositories shipped on June 1, 2026?
laravel/pao, laravel/pint, laravel/framework, laravel/docs

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.