Plugin Laravel Laravel Package

What’s Changed

Features

• 🛡️ Add [@psalm-taint-source](https://github.com/psalm-taint-source) input for Http\Client\Response methods (#676) @alies-dev

Improvements

• Narrow Collection::sum() return type from mixed to int|float (#680) @alies-dev
• Add Collection::empty() stub with static<never, never> return type (#679) @alies-dev
• Detect missing views through View facade calls (#668) @alies-dev

Internal changes

• Support patch-version stub directories (#681) @alies-dev
• Add taint analysis tests for undertested stub sinks (#675) @alies-dev
• Refactor test app to Auto Repair Shop domain, reorganize type tests (#667) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.6.1...v4.6.2

Backports type inference and taint analysis improvements from Plugin 4.x to Psalm 6 users.

What's Changed

Taint Analysis

• Cookies — CookieJar make/queue/forever/forget methods flagged as taint-sink header
• Filesystem — Storage::put(), Storage::prepend(), Storage::append() as path/file sinks
• HTTP Client — Http::get(), Http::post(), Http::send() as SSRF sinks
• Sessions — session() helper and Store methods as taint sources (XSS, SQL injection)
• Views — View::make(), view() helper, View::share() as HTML sinks
• Mail — Mailable subject/to/from as header sinks, body/line/action as HTML sinks
• Redis — eval, evalSha, executeRaw as eval sinks
• Uploaded files — filename, path, contents, MIME type as taint sources
• Encryption — encrypt()/decrypt() correctly modeled as taint escape/unescape
• Routing — route parameters as taint sources, redirector as SSRF sink
• Response — header(), withHeaders(), cookie() as header sinks

Type Inference

Stubs backported from v4.0–v4.6 to reduce false positives:

• Query Builder — narrowed return types (count → int<0,max>, get → Collection<int, stdClass>, cursor → LazyCollection), added 20+ method stubs (whereNot, having, from, orderBy, etc.)
• Eloquent Builder — narrowed cursor, pluck, paginators, firstOrCreate; added whereNot, createOrFirst, findSole, chunkMap; @psalm-variadic on with()/without()
• Model — added Stringable/HasBroadcastChannel implements, public increment/decrement
• Schema — new stubs for Blueprint, ColumnDefinition, ForeignIdColumnDefinition, ForeignKeyDefinition (fluent migration chains)
• Auth — new stubs for Authenticatable, SessionGuard, TokenGuard
• Collection handlers — filter() without callback now removes null/false from TValue; flatten(1)/collapse() preserve TValue

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.3.0...v3.4.0

What’s Changed

Features

• Model models variadic arguments: support for static (__callStatic) Model calls (#663) @alies-dev
• Custom Collections: support returns from Relation method calls (#661) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.6.0...v4.6.1

What's Changed

Deep relationship type resolution, Custom query builders, Custom Collections, and smarter validation shapes (thanks to @MDG11).

Custom Query Builders

• Infer custom query builder types via #[UseEloquentBuilder] attribute and newEloquentBuilder() override (#621) @alies-dev
• Resolve scope methods on custom query builder instances (#633) @alies-dev
• Support SoftDeletes trait methods on custom query builders (#632) @alies-dev

Relationships

• Add MethodForwardingHandler for Relation method forwarding (#642) @alies-dev
• Resolve morphTo property type from docblock generic annotations (#652) @alies-dev
• Resolve custom collection types for relation property access (#651) @alies-dev
• Support #[CollectedBy] attribute for custom Eloquent collections (#623) @alies-dev

Validation

• Parse dot-notation validation rules into nested array shapes (#625) @MDG11 and @alies-dev

Type Improvements

• Narrow Collection::flatten() and collapse() return types to preserve TValue (#619) @alies-dev
• Redeclare Model::increment()/decrement() as public in stub (#618) @alies-dev
• Skip ModelMakeDiscouraged when model has custom make() method (#616) @alies-dev

Security (Taint Analysis)

• 🛡️ Add [@psalm-flow](https://github.com/psalm-flow) for Collection get()/first()/pull()/value() default parameter taint propagation (#650) @alies-dev

Internal

• Replace GNU time with hyperfine + github-action-benchmark (#657) @alies-dev
• Add CI performance benchmark workflow (#655) @alies-dev

New Contributors

• @MDG11 made their first contribution in #625 — dot-notation validation rule parsing

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.5.0...v4.6.0

What's Changed

Three new opt-in rules, expanded taint coverage, and fewer false positives across the board (focus on __() and trans()).

New Rules

• MissingView: Detect missing Blade view files in view() and View::make() calls (#579) @alies-dev
• ModelMakeDiscouraged: Detect undefined translation keys in __() and trans() calls (#595) @alies-dev
• MissingTranslation: Warn against Model::make() in favor of new Model() @alies-dev

Type Improvements

• Narrow __() and trans() return type to string|array (was mixed) (#592) @alies-dev
• Narrow __() return to string when the translation key is known to exist @alies-dev
• Suppress false-positive MissingTemplateParam on HasFactory trait (#517) @alies-dev
• Skip method forwarding for methods defined directly on Model (#498) @alies-dev
• Add missing implements clauses to 15 stubs (#615) @alies-dev
• Fix morphTo stub to bypass $this issue in generics @alies-dev
• Fix morphToMany/morphedByMany signatures @alies-dev
• Add [@return](https://github.com/return) static to Stringable stub methods @alies-dev

Security (Taint Analysis)

• 🛡️ Add [@psalm-taint-source](https://github.com/psalm-taint-source) input for Route parameter methods (#608) @alies-dev
• 🛡️ Add taint sinks for Redis eval/executeRaw (Lua injection) @alies-dev
• 🛡️ Add header taint sinks for CookieJar methods @alies-dev
• 🛡️ Add $path/$domain sinks to Cookie::expire() and forget() @alies-dev
• 🛡️ Add taint flow tracking through Str::of(), str(), and Stringable @alies-dev
• 🛡️ Mark Hash::make() and bcrypt() as [@psalm-taint-escape](https://github.com/psalm-taint-escape) system_secret @alies-dev

Benchmark

Tested against 10 real-world Laravel apps (bagisto, coolify, monica, pixelfed, solidtime, unit3d, vito, and others). Combined results vs v4.4.0:

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.4.0...v4.5.0

Whats' changed

• feat: update Collection, Model, Builder stubs (backport them from 4.x) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.2...v3.3.0

What's Changed

• Enhance DX by accelerating tests @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.1...v3.2.2

What's Changed

• Better type infer for MorphTo relationships @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.0...v3.2.1

What's Changed

• Stability: drop Psalm 7 support on 3.x plugin version by @alies-dev in https://github.com/psalm/psalm-plugin-laravel/pull/602 (as it changed API for plugin)

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v3.2.0

What’s Changed

This is the biggest release since v4.0.

Is release is focused on Validator and FormRequest classes and provides best-in-class type infer for them.

Features

• Improve stub type precision across Eloquent, Collections, Query Builder, and helpers to narrow down types (#583) @alies-dev
• Add validation-aware type narrowing and taint analysis for FormRequest (#577) @alies-dev
• 🛡️ Add taint-sink sql annotations for SQL identifiers and table names (#582) @alies-dev
• 🛡️ Add taint sinks for View\Factory and View\View methods (#580) @alies-dev
• 🛡️ Add taint escape annotations for Js::from() and Js::encode() (#573) @alies-dev
• 🛡️ Add taint sources for session data retrieval (Session\Store::get() and other) (#557) @alies-dev
• 🛡️ Add taint sinks for HTTP client SSRF and redirect methods (#555) @alies-dev
• 🛡️ Add taint sinks for Mail and Notification classes (#556) @alies-dev

Fixes

• Remove false-positive taint source from Request::integer() and Request::float() (#575) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.2...v4.4.0

What’s Changed

• Add PHP 8.2 support (#554) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.1...v4.3.2

What’s Changed

Fixes

• Accept flexible callable signatures in Attribute::make() (#552)
• Add [@psalm-taint-escape](https://github.com/psalm-taint-escape) html for e() helper to avoid false negatives (#551)

Internal changes

• Merge stubs/taintAnalysis/ into stubs/common/ (#553)
• Add contribution docs for taint analysis

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.0...v4.3.1

What's Changed

This release focuses on migration schema analysis for better Eloquent attribute type inference.

Migration Schema Analysis

• Support broader Schema call patterns (connection chaining, class constants, custom facades) (#526)
• Resolve foreignIdFor() column type from referenced model's primary key (#523)
• Handle Blueprint::datetimes() and fix ulid() default column name (#531)
• Default to mixed type for unknown Blueprint methods (custom DB types added by macros) (#528)
• Sort migration files by basename to match Laravel's migrator ordering (#519)
• Cache parsed migration schema to disk to speed up repeated runs (#524)

Stubs & Type Fixes

• Fix Collection::map() return type, add Builder::select() and ResponseTrait::cookie() stubs (#548)

Security (Taint Analysis)

• 🛡️ Add [@psalm-taint-escape](https://github.com/psalm-taint-escape) sql for Connection::escape() (#547)
• 🛡️ Add taint stubs for UploadedFile and encrypt/decrypt helpers (#546)

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.2.0...v4.3.0

Highlights

Relationship accessors without generics — The plugin now resolves Eloquent relationship property types even when methods lack generic annotations. Previously, $user->posts required [@return](https://github.com/return) HasMany<Post, User> to get a precise type. Now the plugin parses the method body AST to extract the related model from $this->hasMany(Post::class), falling back gracefully to bounded types.

Static Query Builder methods on Models — User::where(...), User::orderBy(...), and model scopes now resolve with the correct Builder<User> return type, enabling full type inference through query chains starting from the model class.

SQL schema dump support — The plugin now parses php artisan schema:dump output (MySQL, PostgreSQL, SQLite) as a base layer for model attribute discovery. PHP migrations are applied on top, matching Laravel's own resolution order.

🛡️ Security: new taint sinks — Added XSS detection through HtmlString (which bypasses Blade escaping) and path traversal detection through Storage facade methods (put, writeStream, delete, copy, move, etc.).

Features

• Resolve Eloquent relationship accessors without generic annotations (#502)
• Resolve static Query\Builder methods and scopes on Model classes (#508)
• Support SQL schema dumps for Eloquent model attribute discovery (#495)
• Add stubs for Schema\ColumnDefinition, ForeignIdColumnDefinition, and ForeignKeyDefinition fluent methods (#501)
• 🛡️ Add taint sink for HtmlString to detect XSS bypass of Blade escaping (#491)
• 🛡️ Add taint sinks for Storage facade / FilesystemAdapter path traversal detection (#492)

Fixes

• Process Schema calls in migration helper methods, not just up() (#509)
• Discover Schema/Blueprint calls inside nested block structures (if/else, try/catch, foreach) (#506)
• Add missing nullableTimestampsTz() switch case in schema aggregator
• Narrow count/update/increment/decrement return type to int<0, max> (#499)

Improvements

• Extract cached hasUserPseudoProperty() helper to reduce redundant storage lookups
• Add $codebase->progress->debug() to relationship resolution catch blocks for --debug traceability
• Remove silent constructor catch in findStubFiles() — errors now propagate to the top-level handler

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.1.0...v4.2.0

What’s Changed

Features

• feat: infer pluck() value type from model [@property](https://github.com/property) annotations (#488) @alies-dev
• 🛡️ Add taint sinks for Artisan command injection detection (#489) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.1...v4.1.0

What’s Changed

• Taint Analysis: add sinks for sub-query builder methods (#481) @alies-dev
• Narrow Collection::filter() return type when called without callback (#467) @alies-dev
• Remove route helper function stub as not needed anymore @alies-dev
• Remove once helper function stub as not needed anymore @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0...v4.0.1

The biggest release since the plugin was created. 90% of the codebase was rewritten for stability, performance, and deeper Laravel coverage.

Highlights

• Up to 50x faster on large projects (new caching layer)
• Extended security scanning -- 9 taint analysis stubs covering SQL injection, shell injection, file traversal, SSRF, XSS, open redirect, and crypto bypass. Taint analysis now runs automatically in Psalm 7 -- no flags needed, just ./vendor/bin/psalm
• Compatible with Larastan generics -- relationships, pagination, and Attribute<TGet, TSet> templates all work. Use both tools together: Larastan for types, psalm-plugin-laravel for security
• Removed barryvdh/laravel-ide-helper dependency -- facades and model properties are now resolved natively by the plugin

New features

• Custom issue checkers: InvalidConsoleArgumentName, InvalidConsoleOptionName, NoEnvOutsideConfig
• Model [@property](https://github.com/property) declarations take precedence over migration-discovered properties
• Enhanced attribute type casting -- AST-based casts() parsing without method execution
• Scope detection -- both legacy scopeXxx() methods and Laravel 12+ #[Scope] attribute, plus the Scope interface
• Expanded migration types -- after() closures, Blueprint::rename(), addColumn(), vector columns, and auto-discovery of directories registered via loadMigrationsFrom()

Breaking changes

Eloquent relation generics now require a declaring model parameter (e.g., BelongsTo<Foo> becomes BelongsTo<Foo, self>).

Internals

• Internal code type coverage: 100%
• Tests run 30x faster
• PER Coding Style 3.0
• Better DX for testing and contributing

Upgrade

composer require --dev psalm/plugin-laravel:^4.0 -W

Full migration guide

Security scanning coverage

psalm-plugin-laravel is the only free tool that combines Laravel-aware type analysis with dataflow-based taint vulnerability detection:

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0

What’s Changed

See v4.0.0 Beta 1 release for full list of major changes

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

If you have "minimum-stability": "stable", and got Your requirements could not be resolved to an installable set of packages.: error

composer config minimum-stability beta
composer config prefer-stable true

composer require --dev vimeo/psalm:^7.0@beta psalm/plugin-laravel:^4.0@RC -W

See Upgrading from v3 to v4 for details.

In this RC:

• Add documentation pages for custom plugin custom issues (#465) @alies-dev
  • NoEnvOutsideConfig
  • InvalidConsoleArgumentName
  • InvalidConsoleOptionName

RC Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-rc.1...v4.0.0-rc.2

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-rc.2

4.0 GitHub Discussion

What's Changed

See v4.0.0 Beta 1 release for full list of major changes

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

If you have "minimum-stability": "stable", and got Your requirements could not be resolved to an installable set of packages.: error

composer config minimum-stability beta
composer config prefer-stable true

composer require --dev vimeo/psalm:^7.0@beta psalm/plugin-laravel:^4.0@RC -W

See Upgrading from v3 to v4 for details.

In this RC:

• Feat: Add NoEnvOutsideConfig rule to detect env() calls outside config directory https://github.com/psalm/psalm-plugin-laravel/pull/456
• Feat: better Taint detection in Eloquent Builder expressions
• Feat: infer precise types for Console command argument() and option() calls https://github.com/psalm/psalm-plugin-laravel/pull/457
• Docs: add upgrading guide
• Fix variable shadowing and misleading error issue title https://github.com/psalm/psalm-plugin-laravel/pull/460
• Fix: CastsMethodParser AST traversal — getAttribute('parent') is always null https://github.com/psalm/psalm-plugin-laravel/pull/458
• Fix relation stub signatures and type bare array params https://github.com/psalm/psalm-plugin-laravel/pull/461
• Fix createMany param types and CastsMethodParser AST parent lookup https://github.com/psalm/psalm-plugin-laravel/pull/462

RC/Beta Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-beta.2...v4.0.0-rc.1

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-rc.1

4.0 GitHub Discussion

What’s Changed (from the previous beta)

• feat: infer precise types for Console command argument() and option() calls (#457) @alies-dev
• fix: Psalm 7 crash for Auth facade @method-annotated methods (#453) @alies-dev

Beta Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-beta.1...v4.0.0-beta.2

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-beta.2

What's Changed

• Support Laravel 12–13; drop Laravel 11 (and update other dependencies)
• Require PHP 8.3+; drop PHP 8.2
• Require Psalm 7; drop Psalm 6
• Support Model [@property](https://github.com/property) declarations (take precedence over migration-discovered properties)
• Compatible with Larastan generics
  • Relationships
  • Pagination
  • Attribute
• Enhanced Model attribute type casting
• Enhanced Scope detection (legacy scopeXxx() and #[Scope] attribute)
• Expanded attribute types inferred from migrations (supports more types inc. vector)
• Speed up to 50x on big projects (caching)
• Extended taint-analysis support

Internals

• Remove barryvdh/laravel-ide-helper dependency — facades and model properties are now resolved natively
• Run tests faster (30x)
• Internal code type coverage 100%
• PER3 coding style
• Better test coverage

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-beta.1

What’s Changed

• feat: handle dropColumn() with array argument in SchemaAggregator (#448) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.4...v3.1.5

What’s Changed

• Fix false-positive ArgumentTypeCoercion for retry() helper @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.3...v3.1.4

What's Changed

SchemaAggregator improvements (#423, #425)

• Unsigned integer tracking: unsignedBigInteger, increments, foreignId, id, and the ->unsigned() modifier are now recognized, enabling non-negative-int inference for unsigned columns @alies-dev
• Default values from migrations: ->default() calls in migrations are now parsed and tracked, enabling more accurate type inference for model attributes with defaults @alies-dev
• Fix: columns silently dropped: non-method-call statements (like if blocks) inside migration closures no longer cause subsequent column definitions to be skipped @alies-dev
• Fix: foreignIdFor() column name: foreignIdFor(User::class) now correctly resolves to user_id instead of id @alies-dev

Internal

• Upgrade to PHPUnit 11.5 (#424) @alies-dev
• CI: add PHP 8.5 and multi-version Laravel installer testing @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.2...v3.1.3

What’s Changed

• Update barryvdh/laravel-ide-helper dependency @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.1...v3.1.2

What’s Changed

• Suppress common Laravel issues with full hierarchy support (#400) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.0...v3.1.1

What’s Changed

Taint Analysis: Security Analysis in Psalm. Example 1, Example 2

• Add comprehensive Psalm annotations for taint analysis (#418) @alies-dev
• Fix false-positive ArgumentTypeCoercion for retry() helper (#417) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.5...v3.1.0

What’s Changed

• Update dependencies and internal type info (#416) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.4...v3.0.5

What’s Changed

• Update stub for dispatch() match upstream Laravel (#407) @saulens22

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.3...v3.0.4

What's Changed

• Fix "no hint path defined for ide helper" error by @alies-dev in https://github.com/psalm/psalm-plugin-laravel/pull/396
• Add special dev to composer keywords (#397) @alies-dev

Internal changes:

• Composer: disableProcessTimeout for a slow test:type @alies-dev
• Properly initiate GeneratorCommand @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v2.12.1...v2.12.2