The Wire · Showcase
ESBUILD PATCHES SECURITY HOLE IN LARAVEL STREAM
By RepoJournal · Filed · About Laravel
Laravel Stream bumped esbuild to 0.28.1 overnight to patch a security issue in the development server that could allow malformed HTTP requests to slip through.
The fix blocks backslash characters in local development server HTTP requests, closing a vector that could have caused problems during development [1]. This is a small but important upgrade if you're running Stream in active development. Meanwhile, the Bootcamp project jumped guzzlehttp/psr7 four minor versions (2.7.1 to 2.11.0) [2], tightening validation in request modification and header parsing to prevent subtle HTTP bugs. Over on the Vonage notification channel, routine GitHub Actions maintenance bumped checkout and setup-php [3], keeping CI pipelines current. None of these are blocking issues, but the esbuild patch is worth pulling in before your next development session.
Action items
- → Update esbuild in laravel/stream to 0.28.1 laravel/stream [plan]
- → Review guzzlehttp/psr7 changelog before upgrading Bootcamp laravel/bootcamp [monitor]
References
- [1] Bump esbuild from 0.27.3 to 0.28.1 ↗ laravel/stream
- [2] Bump guzzlehttp/psr7 from 2.7.1 to 2.11.0 ↗ laravel/bootcamp
- [3] Bump the github-actions group with 2 updates ↗ laravel/vonage-notification-channel
FAQ
- What changed in Laravel on June 13, 2026?
- Laravel Stream bumped esbuild to 0.28.1 overnight to patch a security issue in the development server that could allow malformed HTTP requests to slip through.
- What should Laravel teams do about it?
- Update esbuild in laravel/stream to 0.28.1 • Review guzzlehttp/psr7 changelog before upgrading Bootcamp
- Which Laravel repositories shipped on June 13, 2026?
- laravel/stream, laravel/bootcamp, laravel/vonage-notification-channel