RepoJournal
Laravel

@laravel

PHP's most popular framework — Forge, Vapor, and a massive paying audience

Pick a date

The Wire · Showcase

ESBUILD PATCHES SECURITY HOLE IN LARAVEL STREAM

By RepoJournal · Filed · About Laravel

Laravel Stream bumped esbuild to 0.28.1 overnight to patch a security issue in the development server that could allow malformed HTTP requests to slip through.

The fix blocks backslash characters in local development server HTTP requests, closing a vector that could have caused problems during development [1]. This is a small but important upgrade if you're running Stream in active development. Meanwhile, the Bootcamp project jumped guzzlehttp/psr7 four minor versions (2.7.1 to 2.11.0) [2], tightening validation in request modification and header parsing to prevent subtle HTTP bugs. Over on the Vonage notification channel, routine GitHub Actions maintenance bumped checkout and setup-php [3], keeping CI pipelines current. None of these are blocking issues, but the esbuild patch is worth pulling in before your next development session.

Action items

References

  1. [1] Bump esbuild from 0.27.3 to 0.28.1 ↗ laravel/stream
  2. [2] Bump guzzlehttp/psr7 from 2.7.1 to 2.11.0 ↗ laravel/bootcamp
  3. [3] Bump the github-actions group with 2 updates ↗ laravel/vonage-notification-channel

FAQ

What changed in Laravel on June 13, 2026?
Laravel Stream bumped esbuild to 0.28.1 overnight to patch a security issue in the development server that could allow malformed HTTP requests to slip through.
What should Laravel teams do about it?
Update esbuild in laravel/stream to 0.28.1 • Review guzzlehttp/psr7 changelog before upgrading Bootcamp
Which Laravel repositories shipped on June 13, 2026?
laravel/stream, laravel/bootcamp, laravel/vonage-notification-channel

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.