Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Plugin Laravel
Release Notes

Plugin Laravel Laravel Package

psalm/plugin-laravel

Laravel Psalm plugin for deep static analysis plus taint-based security scanning. Detect SQL injection, XSS, SSRF, shell injection, path traversal, and open redirects by tracking user input through Laravel code—without executing it. Complements Larastan/PHPStan.

View on GitHub
Deep Wiki
Context7
v4.12.1

What's Changed

Fixes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.12.0...v4.12.1

v2.12.3

What's changed:

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v2.12.2...v2.12.3

v3.12.0

What’s Changed

Features

  • Narrow config() and Repository::get() return types (#1006) @alies-dev
  • Resolve custom Facades in Laravel package source repos (for running on package repos) (#957) @alies-dev

Fixes

  • Specialize Js::from() and Js::encode() taint per call-site (reduce false-positive reports) (#1010) @alies-dev
  • Narrow Request::query() and Request::post() return types (#1009) @alies-dev

Internal changes

  • CI: dedupe push/PR runs and add concurrency cancel (#1008) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.11.0...v3.12.0

v4.12.0

What’s Changed

Features

  • Narrow config() and Repository::get() return types (#1006) — opt-out by a new resolveConfigReturnTypes config key @alies-dev
  • Resolve custom Facades in Laravel package source repos (for running on package repos) (#957) @alies-dev

Fixes

  • Specialize Js::from() and Js::encode() taint per call-site (reduce false-positive reports) (#1010) @alies-dev
  • Narrow Request::query() and Request::post() return types (#1009) @alies-dev

Internal changes

  • CI: dedupe push/PR runs and add concurrency cancel (#1008) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.11.0...v4.12.0

v3.11.0

What’s Changed

Features

  • Eloquent improvements:
    • Resolve dynamic where{Column} on Model direct calls (#1001) @alies-dev
    • Narrow Eloquent Builder aggregate (avg(), max(), sum(), etc) returns using a known column type (#1005) @alies-dev
    • Type-check dynamic where{Column} arguments on Eloquent relations (#939) @alies-dev
    • Validate multi-segment dynamic where{Column} method calls (#980) @alies-dev
    • Narrow pluck($value, $key) key type and cover relation chains (#968) @alies-dev
    • Narrow Model::only() return shape from literal keys (#933) @alies-dev
    • Narrow MySQL SET columns to literal union in ModelPropertyHandler (#932) @alies-dev
  • Macroable improvements:
    • Recover macro closure docblocks from vendor packages via AST scan (#994) @alies-dev
    • Use Macroable return type info from docblock Psalm storage (#989) @alies-dev
    • Lock in fluent macro narrowing on closure : static return types (#987) @alies-dev
  • CLI:
    • Add diagnose subcommand for runtime introspection (#959) @alies-dev
    • Add tips for the diagnose command and enhance config created by the init command (#971) @alies-dev
    • Better defaults for psalm-laravel init command @alies-dev
  • Resolve Model::factory()->create() collapse on bare HasFactory (#964) @alies-dev
  • Multi-target facade dispatch for Auth/Cache/Session/Storage/Mail (#907) @alies-dev
  • Narrow auth($name) return to concrete guard class (#981) @alies-dev
  • Narrow Storage::disk() return to Cloud for cloud-driver disks (#982) @alies-dev
  • Resolve Carbon cascade + narrow dual-purpose method returns #922 (#950) @alies-dev
  • Accept variadic strings on Route::middleware facade and RouteRegistrar (#986) @alies-dev
  • Narrow Request::file() via source-level conditional return (#935) @alies-dev

Fixes

  • Dead code mode improvements (PossiblyUnusedMethod):
    • Suppress PossiblyUnusedMethod for legacy scopeXxx() Eloquent methods (#999) @alies-dev
    • Suppress PossiblyUnusedMethod for #[Scope]-attributed Eloquent methods (#998) @alies-dev
  • Anchor config_path() at the project root under Testbench fallback (#949) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.10.2...v3.11.0

v4.11.0

What’s Changed

Features

  • Eloquent improvements:
    • Resolve dynamic where{Column} on Model direct calls (#1001) @alies-dev
    • Narrow Eloquent Builder aggregate (avg(), max(), sum(), etc) returns using a known column type (#1005) @alies-dev
    • Type-check dynamic where{Column} arguments on Eloquent relations (#939) @alies-dev
    • Validate multi-segment dynamic where{Column} method calls (#980) @alies-dev
    • Narrow pluck($value, $key) key type and cover relation chains (#968) @alies-dev
    • Narrow Model::only() return shape from literal keys (#933) @alies-dev
    • Narrow MySQL SET columns to literal union in ModelPropertyHandler (#932) @alies-dev
  • Macroable improvements:
    • Recover macro closure docblocks from vendor packages via AST scan (#994) @alies-dev
    • Use Macroable return type info from docblock Psalm storage (#989) @alies-dev
    • Lock in fluent macro narrowing on closure : static return types (#987) @alies-dev
  • CLI:
    • Add diagnose subcommand for runtime introspection (#959) @alies-dev
    • Add tips for the diagnose command and enhance config created by the init command (#971) @alies-dev
    • Better defaults for psalm-laravel init command @alies-dev
  • Resolve Model::factory()->create() collapse on bare HasFactory (#964) @alies-dev
  • Multi-target facade dispatch for Auth/Cache/Session/Storage/Mail (#907) @alies-dev
  • Narrow auth($name) return to concrete guard class (#981) @alies-dev
  • Narrow Storage::disk() return to Cloud for cloud-driver disks (#982) @alies-dev
  • Resolve Carbon cascade + narrow dual-purpose method returns #922 (#950) @alies-dev
  • Accept variadic strings on Route::middleware facade and RouteRegistrar (#986) @alies-dev
  • Narrow Request::file() via source-level conditional return (#935) @alies-dev

Fixes

  • Dead code mode improvements (PossiblyUnusedMethod):
    • Suppress PossiblyUnusedMethod for legacy scopeXxx() Eloquent methods (#999) @alies-dev
    • Suppress PossiblyUnusedMethod for #[Scope]-attributed Eloquent methods (#998) @alies-dev
  • Anchor config_path() at the project root under Testbench fallback (#949) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.10.2...v4.11.0

v3.10.2

What's Changed

Features

Fixes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.10.1...v3.10.2

v4.10.2

Tighter Request::validated() narrowing, sharper Collection chain inference, and two false-positive fixes in testing + factory flows.

What's Changed

Features

Fixes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.10.1...v4.10.2

v4.10.1

What's Changed

Features

Fixes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.10.0...v4.10.1

v3.10.0

What's Changed

Features

Fixes

Internal changes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.9.2...v3.10.0

v4.10.0

What's Changed

Features

Fixes

Internal changes

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.9.3...v4.10.0

v3.9.3

What's Changed

Improvements

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.9.2...v3.9.3

v4.9.3

What's Changed

Improvements

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.9.2...v4.9.3

v3.9.2

What's Changed

Features & Fixes

Internal changes

New Contributors

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.9.1...v3.9.2

v4.9.2

What's Changed

Features & Fixes

Internal changes

New Contributors

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.9.1...v4.9.2

v3.9.1

What’s Changed

Fixes

  • Fix Psalm crash on AuthManager::__call-forwarded methods (eg auth()->authenticate()) (#856) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.9.0...v3.9.1

v4.9.1

What’s Changed

Fixes

  • Fix Psalm crash on AuthManager::__call-forwarded methods (eg auth()->authenticate()) (#856) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.9.0...v4.9.1

v3.9.0

What’s Changed

This release is focused respecting validation rules when to mark input as safe.

Validation & taint analysis

  • Use a more precise taint-escape strategy for validation rules (#819) @alies-dev
  • Extend rule-based taint escape to FormRequest input() / string() / str() accessors (#821) @alies-dev
  • Honour Validation Rule class-level [@psalm-taint-escape](https://github.com/psalm-taint-escape) on custom Rule classes (#826) @alies-dev

Custom Eloquent Builders

  • Preserve fluent return types on custom Eloquent builder subclasses (#845) @alies-dev
  • Fix scopes() chaining on builder contracts (#846) @alies-dev
  • Register custom builder pseudo-method macros (#847) @alies-dev
  • Bind firstOr() callback template across argument positions (#851) @alies-dev

CLI Features

  • New vendor/bin/psalm-laravel CLI with init subcommand for first-time plugin setup (#786) @alies-dev
  • New psalm-laravel add subcommand to scaffold a GitHub Actions security-analysis workflow (#814) @alies-dev

Other type infer Changes

  • Support more Laravel public methods that use variadic parameters: Collection, Session, RedirectResponse, LazyCollection, MessageBag, ServiceProvider(#809, #832) @alies-dev
  • Widen Collection::make / LazyCollection::make / collect() for scalar inputs (#783) @alies-dev
  • Fix InvalidArgument on arrow-function closures in the Builder::where family (#784) @alies-dev
  • Relocate only / except / collect / old to the correct traits (#825) @alies-dev
  • Restate implements / extends in 4 stubs that were wiping reflected metadata (#835, #836) @alies-dev

Internal changes

  • Add StatsHandler to report plugin-level counts under psalm --stats (#817) @alies-dev
  • Include plugin configuration in the bug-report issue body (#781) @alies-dev
v4.9.0

What’s Changed

This release is focused respecting validation rules when to mark input as safe.

Validation & taint analysis

  • Use a more precise taint-escape strategy for validation rules (#819) @alies-dev
  • Extend rule-based taint escape to FormRequest input() / string() / str() accessors (#821) @alies-dev
  • Honour Validation Rule class-level [@psalm-taint-escape](https://github.com/psalm-taint-escape) on custom Rule classes (#826) @alies-dev

Custom Eloquent Builders

  • Preserve fluent return types on custom Eloquent builder subclasses (#845) @alies-dev
  • Fix scopes() chaining on builder contracts (#846) @alies-dev
  • Register custom builder pseudo-method macros (#847) @alies-dev
  • Bind firstOr() callback template across argument positions (#851) @alies-dev

CLI Features

  • New vendor/bin/psalm-laravel CLI with init subcommand for first-time plugin setup (#786) @alies-dev
  • New psalm-laravel add subcommand to scaffold a GitHub Actions security-analysis workflow (#814) @alies-dev

Other type infer Changes

  • Support more Laravel public methods that use variadic parameters: Collection, Session, RedirectResponse, LazyCollection, MessageBag, ServiceProvider(#809, #832) @alies-dev
  • Widen Collection::make / LazyCollection::make / collect() for scalar inputs (#783) @alies-dev
  • Fix InvalidArgument on arrow-function closures in the Builder::where family (#784) @alies-dev
  • Relocate only / except / collect / old to the correct traits (#825) @alies-dev
  • Restate implements / extends in 4 stubs that were wiping reflected metadata (#835, #836) @alies-dev

Internal changes

  • Add StatsHandler to report plugin-level counts under psalm --stats (#817) @alies-dev
  • Include plugin configuration in the bug-report issue body (#781) @alies-dev
v3.8.4

Backport changes from v4.8.2- v4.8.4 releases

What's Changed

  • Narrow AuthManager instance calls, not just the Auth facade (#773) @alies-dev
  • Register Carbon lazy class stubs to prevent MissingDependency errors (#770) @alies-dev
  • Widen Stringable-accepting stubs to reduce ImplicitToStringCast false positives (#775) @alies-dev
  • Tighten filled() to narrow ?string to non-empty-string (#762) @alies-dev
  • fix: narrow app(static::class, ...) and class-string<Foo> arguments (#754) @alies-dev
  • Silence misleading autoloader warning for anonymous Model subclasses (e.g. Laravel Scout) (#769) @alies-dev
  • Stop NoEnvOutsideConfig from firing inside analysed project's config/ (#767) @alies-dev
  • Prevent plugin crashing on invalid Facade aliases by @alies-dev in https://github.com/psalm/psalm-plugin-laravel/pull/746
  • Fix false-positive DocblockTypeContradiction on filled()/blank() guards with nullable strings (#753) @alies-dev

Internal changes

  • Enhance DX with tests (parallel running, optimisations, etc) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.8.1...v3.8.4

v4.8.4

What’s Changed

This release focuses on fixing minor issues (plugin gaps) found on real projects.

Fixes

  • Narrow AuthManager instance calls, not just the Auth facade (#773) @alies-dev
  • Register Carbon lazy class stubs to prevent MissingDependency errors (#770) @alies-dev
  • Widen Stringable-accepting stubs to reduce ImplicitToStringCast false positives (#775) @alies-dev
  • Tighten filled() to narrow ?string to non-empty-string (#762) @alies-dev
  • Silence misleading autoloader warning for anonymous Model subclasses (e.g. Laravel Scout) (#769) @alies-dev
  • Stop NoEnvOutsideConfig from firing inside analysed project's config/ (#767) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.8.3...v4.8.4

v4.8.3

What’s Changed

Fixes

  • Fix false-positive DocblockTypeContradiction on filled()/blank() guards with nullable strings (#753) @alies-dev
  • fix: narrow app(static::class, ...) and class-string<Foo> arguments (#754) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.8.2...v4.8.3

v4.8.2

What’s Changed

Fixes

Internal changes

  • Shorten bug-report title and prevent "vendorsrc" path collapse in IssueUrlGenerator (#747) @alies-dev
  • Tests: Add --SKIPIF-- support to PsalmTest via getSkipReason() (#742) @alies-dev
  • Tests: Run type tests in parallel (use alies-dev/psalm-tester) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.8.1...v4.8.2

v3.8.1

What's Changed

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.8.0...v3.8.1

v3.8.0

v3.8.0 is a full backport of 4.x features to the Laravel 11–12 + Psalm 6 support line. Everything that shipped in v4.x–4.8 is now available on 3.x.

From this release, almost all new features will be released on both 3.x and 4.x branches.

What's Changed

This release adds psalm-security-analysis AI skill installable via Laravel Boost. You can install it by re-running boost:update (or boost:install on fresh installations). This allows your agent find and fix security issues found by Psalm taint analysis.

Breaking Changes

  • BelongsToMany and MorphToMany stubs now declare 4 template params — migrate BelongsToMany<T, U>BelongsToMany<T, U, Pivot, 'pivot'> (#716) If you documented such relationships directly in your codebase, the migration process is straightforward: 
    ./vendor/bin/psalter --plugin=vendor/psalm/plugin-laravel/tools/psalter/UpgradeRelationAnnotations.php

Features

  • Narrow env('KEY', $default) return type based on the default argument — env('KEY', 'val')string, env('KEY', false)string|false (#712)
  • Narrow Auth::guard('web') to its concrete class (SessionGuard, TokenGuard) from auth.php config (#711)
  • Narrow Collection::whereNotNull() to remove null from TValue when called without a key (#713)
  • Resolve withCount/withExists/withSum/withMin/withMax/withAvg aggregate accessor properties on Eloquent models without UndefinedMagicPropertyFetch (#715)
  • Validate dispatch() and dispatchIf() arguments against the job/event constructor signature (#726)
  • Infer Carbon (or a custom date class from Date::use()) for now() and today() helpers (#725)
  • Resolve SoftDeletes methods (withTrashed, onlyTrashed, withoutTrashed) on base Builder instances (#727)
  • Type HigherOrderCollectionProxy method call chains precisely — $users->sortByDesc->method() no longer produces InvalidMethodCall (#724)
  • Validate Config::array() and Config::collection() $default argument — scalar fallbacks emit InvalidArgument (#736)
  • Add opt-in <dynamicWhereMethods value="true" /> config to resolve where{Column} calls on relation chains (#714)
  • 🛡️ Mark Http\Client\Response body/header methods (body(), json(), header(), etc.) as taint sources (#676)
  • 🛡️ Add [@psalm-taint-sink](https://github.com/psalm-taint-sink) file to ~30 path-accepting methods in Filesystem, FilesystemAdapter, and LockableFile (#739)

Fixes

  • Fix collect() with no arguments to return Collection<never, never> instead of Collection<array-key, mixed> (#722)
  • Fix Collection::empty() to return static<never, never>, assignable to any typed collection (#679)
  • Narrow Collection::sum() from mixed to int|float (#680)
  • Fix Conditionable::when()/unless() and Tappable::tap() returning mixed on fluent chains — now returns $this (#710)
  • Fix higher-order collection proxy properties ($col->map, $col->each) to carry concrete TKey/TValue types (#720)
  • Narrow Str::replace() return to string when the subject is a string (#719)
  • Add [@psalm-this-out](https://github.com/psalm-this-out) to paginator setCollection() to narrow the type after item replacement (#688)
  • Fix scope methods on Eloquent relation chains — $user->posts()->published()->get() now resolves correctly (#738)
  • 🛡️ Remove false-positive TaintedHtml from Blade view $data parameters — Blade auto-escapes {{ $var }} output (#690)
  • 🛡️ Remove false-positive TaintedSql from PDO-parameterized Builder methods (where, find, having, etc.) (#691)
  • Fix PossiblyUnusedMethod false positives for legacy Eloquent getXxxAttribute()/setXxxAttribute() methods (#732)

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.4.0...v3.8.0

v4.8.1

What’s Changed

  • Enhance AI skill to use compact output mode to save tokens (available from Psalm v7.0.beta-18)
  • Use E_USER_DEPRECATED output type for deprecation warnings

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.8.0...v4.8.1

v4.8.0

Laravel Boost Skill

This release adds psalm-security-analysis AI skill installable via Laravel Boost. You can install it by re-running boost:update (or boost:install on fresh installations). This allows your agent find and fix security issues found by Psalm taint analysis.

What’s Changed

Features

  • Add Laravel Boost psalm-security-analysis skill for AI agents (#672) @alies-dev
  • Support HigherOrderCollectionProxy method call chains (#724) @alies-dev
  • Validate Config::array() and Config::collection() default argument type (#736) @alies-dev
  • Resolve scope methods on Eloquent relation chains (#738) @alies-dev
  • 🛡️ Add missing [@psalm-taint-sink](https://github.com/psalm-taint-sink) file methods to Filesystem/FilesystemAdapter stubs (#739) @alies-dev

Fixes

  • Fix: PossiblyUnusedMethod false positives for Eloquent legacy accessor/mutator methods (#732) @alies-dev

Internal changes

  • Simplify migration: Add Psalter plugin for upgrading relation PHPDoc annotations (#735) @alies-dev

    Migration of PHPDoc from v3.x version to v4.7+ for relationship definitions is easy now:

    ./vendor/bin/psalter --plugin=vendor/psalm/plugin-laravel/tools/psalter/UpgradeRelationAnnotations.php

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.7.0...v4.8.0

v4.7.0

What's Changed

This release focuses on Eloquent Builder type coverage — new aggregate accessor resolution (withCount/withExists/withSum/withMin/withMax/withAvg), SoftDeletes on Builder instances, where{Column} dynamic methods on builder and relations, and several stub fixes that restore correct pivot types.

Features

  • Add opt-out dynamic where{Column} method resolution on relation chains (#714)
  • Resolve withCount/withExists/withSum/withMin/withMax/withAvg aggregate accessor properties on Eloquent models (#715)
  • Support SoftDeletes methods resolving on base Builder instances (#727)
  • Update BelongsToMany/MorphToMany stubs to declare 4 template params, restoring pivot types in return values (#716)
  • Infer Carbon for now() and today() helpers (#725)
  • Validate dispatch() arguments against job/event constructor signature (#726)
  • Narrow Auth::guard() return type to the concrete guard class (#711)
  • Narrow Collection::whereNotNull() to remove null from TValue (#713)
  • Narrow env() return type based on the default value argument (#712)

Fixes

  • Fix collect() with no args to return Collection<never, never> (#722)
  • Add [@property-read](https://github.com/property-read) stubs for higher-order collection proxies (#720)
  • Add conditional return type stub for Str::replace() (#719)
  • Stub Conditionable::when()/unless() and Tappable::tap() to fix mixed return on fluent chains (#710)
  • Fix Collection::empty() and Collection::sum() return types (#683)
  • Add [@psalm-this-out](https://github.com/psalm-this-out) to paginator setCollection() (#688)
  • 🛡️ Add [@psalm-taint-escape](https://github.com/psalm-taint-escape) sql to parameterized Builder methods (#691)
  • 🛡️ Remove false-positive TaintedHtml sinks from Blade view data (#690)

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.6.2...v4.7.0

v4.6.2

What’s Changed

Features

  • 🛡️ Add [@psalm-taint-source](https://github.com/psalm-taint-source) input for Http\Client\Response methods (#676) @alies-dev

Improvements

  • Narrow Collection::sum() return type from mixed to int|float (#680) @alies-dev
  • Add Collection::empty() stub with static<never, never> return type (#679) @alies-dev
  • Detect missing views through View facade calls (#668) @alies-dev

Internal changes

  • Support patch-version stub directories (#681) @alies-dev
  • Add taint analysis tests for undertested stub sinks (#675) @alies-dev
  • Refactor test app to Auto Repair Shop domain, reorganize type tests (#667) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.6.1...v4.6.2

v3.4.0

Backports type inference and taint analysis improvements from Plugin 4.x to Psalm 6 users.

What's Changed

Taint Analysis

  • Cookies — CookieJar make/queue/forever/forget methods flagged as taint-sink header
  • Filesystem — Storage::put(), Storage::prepend(), Storage::append() as path/file sinks
  • HTTP Client — Http::get(), Http::post(), Http::send() as SSRF sinks
  • Sessions — session() helper and Store methods as taint sources (XSS, SQL injection)
  • Views — View::make(), view() helper, View::share() as HTML sinks
  • Mail — Mailable subject/to/from as header sinks, body/line/action as HTML sinks
  • Redis — eval, evalSha, executeRaw as eval sinks
  • Uploaded files — filename, path, contents, MIME type as taint sources
  • Encryption — encrypt()/decrypt() correctly modeled as taint escape/unescape
  • Routing — route parameters as taint sources, redirector as SSRF sink
  • Response — header(), withHeaders(), cookie() as header sinks

Type Inference

Stubs backported from v4.0–v4.6 to reduce false positives:

  • Query Builder — narrowed return types (countint<0,max>, getCollection<int, stdClass>, cursorLazyCollection), added 20+ method stubs (whereNot, having, from, orderBy, etc.)
  • Eloquent Builder — narrowed cursor, pluck, paginators, firstOrCreate; added whereNot, createOrFirst, findSole, chunkMap; @psalm-variadic on with()/without()
  • Model — added Stringable/HasBroadcastChannel implements, public increment/decrement
  • Schema — new stubs for Blueprint, ColumnDefinition, ForeignIdColumnDefinition, ForeignKeyDefinition (fluent migration chains)
  • Auth — new stubs for Authenticatable, SessionGuard, TokenGuard
  • Collection handlers — filter() without callback now removes null/false from TValue; flatten(1)/collapse() preserve TValue

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.3.0...v3.4.0

v4.6.1

What’s Changed

Features

  • Model models variadic arguments: support for static (__callStatic) Model calls (#663) @alies-dev
  • Custom Collections: support returns from Relation method calls (#661) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.6.0...v4.6.1

v4.6.0

What's Changed

Deep relationship type resolution, Custom query builders, Custom Collections, and smarter validation shapes (thanks to @MDG11).

Custom Query Builders

  • Infer custom query builder types via #[UseEloquentBuilder] attribute and newEloquentBuilder() override (#621) @alies-dev
  • Resolve scope methods on custom query builder instances (#633) @alies-dev
  • Support SoftDeletes trait methods on custom query builders (#632) @alies-dev

Relationships

  • Add MethodForwardingHandler for Relation method forwarding (#642) @alies-dev
  • Resolve morphTo property type from docblock generic annotations (#652) @alies-dev
  • Resolve custom collection types for relation property access (#651) @alies-dev
  • Support #[CollectedBy] attribute for custom Eloquent collections (#623) @alies-dev

Validation

  • Parse dot-notation validation rules into nested array shapes (#625) @MDG11 and @alies-dev

Type Improvements

  • Narrow Collection::flatten() and collapse() return types to preserve TValue (#619) @alies-dev
  • Redeclare Model::increment()/decrement() as public in stub (#618) @alies-dev
  • Skip ModelMakeDiscouraged when model has custom make() method (#616) @alies-dev

Security (Taint Analysis)

  • 🛡️ Add [@psalm-flow](https://github.com/psalm-flow) for Collection get()/first()/pull()/value() default parameter taint propagation (#650) @alies-dev

Internal

  • Replace GNU time with hyperfine + github-action-benchmark (#657) @alies-dev
  • Add CI performance benchmark workflow (#655) @alies-dev

New Contributors

  • @MDG11 made their first contribution in #625 — dot-notation validation rule parsing

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.5.0...v4.6.0

v4.5.0

What's Changed

Three new opt-in rules, expanded taint coverage, and fewer false positives across the board (focus on __() and trans()).

New Rules

  • MissingView: Detect missing Blade view files in view() and View::make() calls (#579) @alies-dev
  • ModelMakeDiscouraged: Detect undefined translation keys in __() and trans() calls (#595) @alies-dev
  • MissingTranslation: Warn against Model::make() in favor of new Model() @alies-dev

Type Improvements

  • Narrow __() and trans() return type to string|array (was mixed) (#592) @alies-dev
  • Narrow __() return to string when the translation key is known to exist @alies-dev
  • Suppress false-positive MissingTemplateParam on HasFactory trait (#517) @alies-dev
  • Skip method forwarding for methods defined directly on Model (#498) @alies-dev
  • Add missing implements clauses to 15 stubs (#615) @alies-dev
  • Fix morphTo stub to bypass $this issue in generics @alies-dev
  • Fix morphToMany/morphedByMany signatures @alies-dev
  • Add [@return](https://github.com/return) static to Stringable stub methods @alies-dev

Security (Taint Analysis)

  • 🛡️ Add [@psalm-taint-source](https://github.com/psalm-taint-source) input for Route parameter methods (#608) @alies-dev
  • 🛡️ Add taint sinks for Redis eval/executeRaw (Lua injection) @alies-dev
  • 🛡️ Add header taint sinks for CookieJar methods @alies-dev
  • 🛡️ Add $path/$domain sinks to Cookie::expire() and forget() @alies-dev
  • 🛡️ Add taint flow tracking through Str::of(), str(), and Stringable @alies-dev
  • 🛡️ Mark Hash::make() and bcrypt() as [@psalm-taint-escape](https://github.com/psalm-taint-escape) system_secret @alies-dev

Benchmark

Tested against 10 real-world Laravel apps (bagisto, coolify, monica, pixelfed, solidtime, unit3d, vito, and others). Combined results vs v4.4.0:

Metric v4.4.0 v4.5.0 Delta
Total issues 84,503 76,123 -9.9%
Plugin-caused false positives 5,115 4,155 -18.8%
Security findings (taint) 83 84 +1

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.4.0...v4.5.0

v3.3.0

Whats' changed

  • feat: update Collection, Model, Builder stubs (backport them from 4.x) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.2...v3.3.0

v3.2.2

What's Changed

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.1...v3.2.2

v3.2.1

What's Changed

  • Better type infer for MorphTo relationships @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.2.0...v3.2.1

v3.2.0

What's Changed

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v3.2.0

v4.4.0

What’s Changed

This is the biggest release since v4.0.

Is release is focused on Validator and FormRequest classes and provides best-in-class type infer for them.

Features

  • Improve stub type precision across Eloquent, Collections, Query Builder, and helpers to narrow down types (#583) @alies-dev
  • Add validation-aware type narrowing and taint analysis for FormRequest (#577) @alies-dev
  • 🛡️ Add taint-sink sql annotations for SQL identifiers and table names (#582) @alies-dev
  • 🛡️ Add taint sinks for View\Factory and View\View methods (#580) @alies-dev
  • 🛡️ Add taint escape annotations for Js::from() and Js::encode() (#573) @alies-dev
  • 🛡️ Add taint sources for session data retrieval (Session\Store::get() and other) (#557) @alies-dev
  • 🛡️ Add taint sinks for HTTP client SSRF and redirect methods (#555) @alies-dev
  • 🛡️ Add taint sinks for Mail and Notification classes (#556) @alies-dev

Fixes

  • Remove false-positive taint source from Request::integer() and Request::float() (#575) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.2...v4.4.0

v4.3.2

What’s Changed

Dependency plugin v3 plugin v4
PHP ^8.2 ^8.2
Laravel 11, 12 12, 13
Psalm 6, 7 (beta) 7 only

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.1...v4.3.2

v4.3.1

What’s Changed

Fixes

  • Accept flexible callable signatures in Attribute::make() (#552)
  • Add [@psalm-taint-escape](https://github.com/psalm-taint-escape) html for e() helper to avoid false negatives (#551)

Internal changes

  • Merge stubs/taintAnalysis/ into stubs/common/ (#553)
  • Add contribution docs for taint analysis

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.3.0...v4.3.1

v4.3.0

What's Changed

This release focuses on migration schema analysis for better Eloquent attribute type inference.

Migration Schema Analysis

  • Support broader Schema call patterns (connection chaining, class constants, custom facades) (#526)
  • Resolve foreignIdFor() column type from referenced model's primary key (#523)
  • Handle Blueprint::datetimes() and fix ulid() default column name (#531)
  • Default to mixed type for unknown Blueprint methods (custom DB types added by macros) (#528)
  • Sort migration files by basename to match Laravel's migrator ordering (#519)
  • Cache parsed migration schema to disk to speed up repeated runs (#524)

Stubs & Type Fixes

  • Fix Collection::map() return type, add Builder::select() and ResponseTrait::cookie() stubs (#548)

Security (Taint Analysis)

  • 🛡️ Add [@psalm-taint-escape](https://github.com/psalm-taint-escape) sql for Connection::escape() (#547)
  • 🛡️ Add taint stubs for UploadedFile and encrypt/decrypt helpers (#546)

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.2.0...v4.3.0

v4.2.0

Highlights

Relationship accessors without generics — The plugin now resolves Eloquent relationship property types even when methods lack generic annotations. Previously, $user->posts required [@return](https://github.com/return) HasMany<Post, User> to get a precise type. Now the plugin parses the method body AST to extract the related model from $this->hasMany(Post::class), falling back gracefully to bounded types.

Static Query Builder methods on ModelsUser::where(...), User::orderBy(...), and model scopes now resolve with the correct Builder<User> return type, enabling full type inference through query chains starting from the model class.

SQL schema dump support — The plugin now parses php artisan schema:dump output (MySQL, PostgreSQL, SQLite) as a base layer for model attribute discovery. PHP migrations are applied on top, matching Laravel's own resolution order.

🛡️ Security: new taint sinks — Added XSS detection through HtmlString (which bypasses Blade escaping) and path traversal detection through Storage facade methods (put, writeStream, delete, copy, move, etc.).

Features

  • Resolve Eloquent relationship accessors without generic annotations (#502)
  • Resolve static Query\Builder methods and scopes on Model classes (#508)
  • Support SQL schema dumps for Eloquent model attribute discovery (#495)
  • Add stubs for Schema\ColumnDefinition, ForeignIdColumnDefinition, and ForeignKeyDefinition fluent methods (#501)
  • 🛡️ Add taint sink for HtmlString to detect XSS bypass of Blade escaping (#491)
  • 🛡️ Add taint sinks for Storage facade / FilesystemAdapter path traversal detection (#492)

Fixes

  • Process Schema calls in migration helper methods, not just up() (#509)
  • Discover Schema/Blueprint calls inside nested block structures (if/else, try/catch, foreach) (#506)
  • Add missing nullableTimestampsTz() switch case in schema aggregator
  • Narrow count/update/increment/decrement return type to int<0, max> (#499)

Improvements

  • Extract cached hasUserPseudoProperty() helper to reduce redundant storage lookups
  • Add $codebase->progress->debug() to relationship resolution catch blocks for --debug traceability
  • Remove silent constructor catch in findStubFiles() — errors now propagate to the top-level handler

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.1.0...v4.2.0

v4.1.0

What’s Changed

Features

  • feat: infer pluck() value type from model [@property](https://github.com/property) annotations (#488) @alies-dev
  • 🛡️ Add taint sinks for Artisan command injection detection (#489) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.1...v4.1.0

v4.0.1

What’s Changed

  • Taint Analysis: add sinks for sub-query builder methods (#481) @alies-dev
  • Narrow Collection::filter() return type when called without callback (#467) @alies-dev
  • Remove route helper function stub as not needed anymore @alies-dev
  • Remove once helper function stub as not needed anymore @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0...v4.0.1

v4.0.0

The biggest release since the plugin was created. 90% of the codebase was rewritten for stability, performance, and deeper Laravel coverage.

Highlights

  • Up to 50x faster on large projects (new caching layer)
  • Extended security scanning -- 9 taint analysis stubs covering SQL injection, shell injection, file traversal, SSRF, XSS, open redirect, and crypto bypass. Taint analysis now runs automatically in Psalm 7 -- no flags needed, just ./vendor/bin/psalm
  • Compatible with Larastan generics -- relationships, pagination, and Attribute<TGet, TSet> templates all work. Use both tools together: Larastan for types, psalm-plugin-laravel for security
  • Removed barryvdh/laravel-ide-helper dependency -- facades and model properties are now resolved natively by the plugin

New features

  • Custom issue checkers: InvalidConsoleArgumentName, InvalidConsoleOptionName, NoEnvOutsideConfig
  • Model [@property](https://github.com/property) declarations take precedence over migration-discovered properties
  • Enhanced attribute type casting -- AST-based casts() parsing without method execution
  • Scope detection -- both legacy scopeXxx() methods and Laravel 12+ #[Scope] attribute, plus the Scope interface
  • Expanded migration types -- after() closures, Blueprint::rename(), addColumn(), vector columns, and auto-discovery of directories registered via loadMigrationsFrom()

Breaking changes

Dependency v3 v4
PHP ^8.2 ^8.3
Laravel 11, 12 12, 13
Psalm 6, 7 (beta) 7 only

Eloquent relation generics now require a declaring model parameter (e.g., BelongsTo<Foo> becomes BelongsTo<Foo, self>).

Internals

  • Internal code type coverage: 100%
  • Tests run 30x faster
  • PER Coding Style 3.0
  • Better DX for testing and contributing

Upgrade

composer require --dev psalm/plugin-laravel:^4.0 -W

Full migration guide

Security scanning coverage

psalm-plugin-laravel is the only free tool that combines Laravel-aware type analysis with dataflow-based taint vulnerability detection:

Vulnerability Laravel surface OWASP
SQL Injection DB::statement(), DB::unprepared(), query builder raw methods A03:2021
Shell Injection Process::run(), Process::pipe() A03:2021
File Traversal Storage::get(), Storage::put(), 15 Filesystem methods A01:2021
SSRF Http::get(), Http::post(), 6 HTTP client methods A10:2021
XSS Response::setContent(), ResponseFactory::make() A03:2021
Open Redirect Redirect::to(), Redirect::away() A10:2021
Crypto tracking Encrypter, HashManager taint-escape/unescape A02:2021

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0

v4.0.0-rc.2

What’s Changed

See v4.0.0 Beta 1 release for full list of major changes

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

If you have "minimum-stability": "stable", and got Your requirements could not be resolved to an installable set of packages.: error

composer config minimum-stability beta
composer config prefer-stable true

composer require --dev vimeo/psalm:^7.0@beta psalm/plugin-laravel:^4.0@RC -W

See Upgrading from v3 to v4 for details.

In this RC:

RC Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-rc.1...v4.0.0-rc.2

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-rc.2

4.0 GitHub Discussion

v4.0.0-rc.1

What's Changed

See v4.0.0 Beta 1 release for full list of major changes

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

If you have "minimum-stability": "stable", and got Your requirements could not be resolved to an installable set of packages.: error

composer config minimum-stability beta
composer config prefer-stable true

composer require --dev vimeo/psalm:^7.0@beta psalm/plugin-laravel:^4.0@RC -W

See Upgrading from v3 to v4 for details.

In this RC:

RC/Beta Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-beta.2...v4.0.0-rc.1

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-rc.1

4.0 GitHub Discussion

v4.0.0-beta.2

What’s Changed (from the previous beta)

Beta Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v4.0.0-beta.1...v4.0.0-beta.2

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-beta.2

v4.0.0-beta.1

What's Changed

  • Support Laravel 12–13; drop Laravel 11 (and update other dependencies)
  • Require PHP 8.3+; drop PHP 8.2
  • Require Psalm 7; drop Psalm 6
  • Support Model [@property](https://github.com/property) declarations (take precedence over migration-discovered properties)
  • Compatible with Larastan generics
    • Relationships
    • Pagination
    • Attribute
  • Enhanced Model attribute type casting
  • Enhanced Scope detection (legacy scopeXxx() and #[Scope] attribute)
  • Expanded attribute types inferred from migrations (supports more types inc. vector)
  • Speed up to 50x on big projects (caching)
  • Extended taint-analysis support

Internals

  • Remove barryvdh/laravel-ide-helper dependency — facades and model properties are now resolved natively
  • Run tests faster (30x)
  • Internal code type coverage 100%
  • PER3 coding style
  • Better test coverage

Migration guide

composer require --dev psalm/plugin-laravel:^4.0@beta -W

Major Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.5...v4.0.0-beta.1

v3.1.5

What’s Changed

  • feat: handle dropColumn() with array argument in SchemaAggregator (#448) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.4...v3.1.5

v3.1.4

What’s Changed

  • Fix false-positive ArgumentTypeCoercion for retry() helper @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.3...v3.1.4

v3.1.3

What's Changed

SchemaAggregator improvements (#423, #425)

  • Unsigned integer tracking: unsignedBigInteger, increments, foreignId, id, and the ->unsigned() modifier are now recognized, enabling non-negative-int inference for unsigned columns @alies-dev
  • Default values from migrations: ->default() calls in migrations are now parsed and tracked, enabling more accurate type inference for model attributes with defaults @alies-dev
  • Fix: columns silently dropped: non-method-call statements (like if blocks) inside migration closures no longer cause subsequent column definitions to be skipped @alies-dev
  • Fix: foreignIdFor() column name: foreignIdFor(User::class) now correctly resolves to user_id instead of id @alies-dev

Internal

  • Upgrade to PHPUnit 11.5 (#424) @alies-dev
  • CI: add PHP 8.5 and multi-version Laravel installer testing @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.2...v3.1.3

v3.1.2

What’s Changed

  • Update barryvdh/laravel-ide-helper dependency @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.1...v3.1.2

v3.1.1

What’s Changed

  • Suppress common Laravel issues with full hierarchy support (#400) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.1.0...v3.1.1

v3.1.0

What’s Changed

Taint Analysis: Security Analysis in Psalm. Example 1, Example 2

  • Add comprehensive Psalm annotations for taint analysis (#418) @alies-dev
  • Fix false-positive ArgumentTypeCoercion for retry() helper (#417) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.5...v3.1.0

v3.0.5

What’s Changed

  • Update dependencies and internal type info (#416) @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.4...v3.0.5

v3.0.4

What’s Changed

  • Update stub for dispatch() match upstream Laravel (#407) @saulens22

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v3.0.3...v3.0.4

v2.12.2

What's Changed

Internal changes:

  • Composer: disableProcessTimeout for a slow test:type @alies-dev
  • Properly initiate GeneratorCommand @alies-dev

Full Changelog: https://github.com/psalm/psalm-plugin-laravel/compare/v2.12.1...v2.12.2

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui
babelqueue/php-sdk
facebook/capi-param-builder-php
babelqueue/symfony
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium