⬆️ Update dependency laravel/framework to v11.44.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
laravel/framework (source)	11.36.1 -> 11.44.1

GitHub Vulnerability Alerts

CVE-2025-27515

When using wildcard validation to validate a given file or image field array (files.*), a user-crafted malicious request could potentially bypass the validation rules.

---

Release Notes

laravel/framework (laravel/framework)

v11.44.1

Compare Source

• [11.x] Add valid values to ensure method by @​lancepioch in #​54840
• Fix attribute name used on Validator instance within certain rule classes by @​crynobone in #​54845
• [11.x] Fix Application::interBasePath() fails to resolve application when project name is "vendor" by @​crynobone in #​54871
• [11.x] Test improvements by @​crynobone in #​54879

v11.44.0

Compare Source

• [11.x] Fix parsing PHP_CLI_SERVER_WORKERS as string instead of int by @​crynobone in #​54724
• [11.x] Rename Redis parse connection for cluster test method to follow naming conventions by @​jackbayliss in #​54721
• [11.x] Allow readAt method to use in database channel by @​utsavsomaiya in #​54729
• [11.x] Fix: Custom Exceptions with Multiple Arguments does not properly rein… by @​pandiselvamm in #​54705
• [11.x] Update ConcurrencyTest exception reference to use namespace by @​jackbayliss in #​54732
• [11.x] Deprecate Factory::$modelNameResolver by @​samlev in #​54736
• [11x.] Improved typehints for InteractsWithDatabase by @​cosmastech in #​54748
• [11.x] Improved typehints for InteractsWithExceptionHandling && ExceptionHandlerFake by @​cosmastech in #​54747

v11.43.2

Compare Source

• [11.x] Add missing test for implode() by @​nuernbergerA in #​54704
• [11.x] Enhance eventStream to Support Custom Events and Start Messages by @​devhammed in #​54695
• Revert "[11.x] Enhance eventStream to Support Custom Events and Start Messages" by @​taylorotwell in #​54714
• [11.x] Replace MD5 with xxh128 in File::hasSameHash() by @​vlakoff in #​54690
• [11.x] Add parameter typing for closure to addGlobalScope method by @​jnoordsij in #​54677
• [11.x] assertOnlyJsonValidationErrors / assertOnlyInvalid by @​gdebrauwer in #​54678
• [11.x] Allow for assertions against QueueFake::pushRaw() by @​cosmastech in #​54703
• [11.x] Fix: Handles non nested explode of multiple Date and Numeric rules in ValidationRuleParser by @​AlexandreMeledandri in #​54718

v11.43.1

Compare Source

• [11.x] Fix "Divide by Zero" regression bug introduced in #​54650 by @​crynobone in #​54685
• Revert "Fix Collection::implode with \Stringable objects" by @​crynobone in #​54691

v11.43.0

Compare Source

• Remove Incorrect @​mixin Annotation in BuildsQueries Trait by @​daniel-de-wit in #​54596
• make withoutScopedBindings usable on RouteRegistrar by @​ssninnni in #​54592
• [11.x] Update Broadcasting Install Command For Bun Version 1.1.39^ by @​realpoke in #​54605
• [11.x] Add isTtySupported to Process facade by @​Riley19280 in #​54604
• [11.x] fix: pagination generics by @​calebdw in #​54601
• Convert closures to arrow functions in the Model class by @​alikhosravidev in #​54599
• [11.x] Document hashedValue as non-nullable by @​JurianArie in #​54615
• [11.x] Prohibited If Declined and Prohibited If Accepted validation rules by @​osama-98 in #​54608
• [11.x] Fix param types for orWhereHasMorph method by @​simonellensohn in #​54659
• [11.x] Add pascal alias for studly string helper by @​da-mask in #​54655
• [11.x] make the Eloquent missing attribute handler more accurate by changing offsetExists by @​koenvu in #​54654
• [11.x] use exec function if the symlink function is unavailable by @​aisuvro in #​54651
• [11.x] use value helper for $perPage as used for $total by @​rodrigopedra in #​54650
• [11.x] [cleanup] used illuminate str contains by @​daison12006013 in #​54647
• [11.x] Allow can attribute on group by @​utsavsomaiya in #​54648
• Test Improvements by @​crynobone in #​54645
• Fixes Factory Using Wrong Model Name by @​SameOldNick in #​54644
• [11.x] fix 'parsePipeString' in pipeline helper by @​igzard in #​54643
• Update old() docblock by @​AJenbo in #​54641
• [11.x] Feature: Array reject by @​liamduckett in #​54638
• [11.x] Blade @​include performance by @​AlliBalliBaba in #​54633
• Fix Collection::implode with \Stringable objects by @​timkelty in #​54630
• [11.x] Fix serve command with PHP_CLI_SERVER_WORKERS by @​crynobone in #​54606
• [11.x] new: ddJson method on TestResponse class by @​chester-sykes in #​54673
• [11.x] Add find sole query builder method by @​zepfietje in #​54667
• [11.x] Fix regression bug with global Factory::guessModelNamesUsing() by @​crynobone in #​54665
• [11.x] Fix routeCollection get method return value when searching by dot not… by @​abdel-aouby in #​54672
• [11.x] Add withWhereRelation method to builder by @​utsavsomaiya in #​54668

v11.42.1

Compare Source

• Add Taylor's inspiring quote - We must ship by @​1weiho in #​54579
• Type the callback for Relation::noConstraints by @​simon-tma in #​54572
• [11.x] fix: getQualified{Created,Updated}AtColumn never returning null by @​calebdw in #​54568
• [11.x] assertStreamed and assertNotStreamed by @​gdebrauwer in #​54566
• [11.x] Add assertJsonFragments assertion by @​lioneaglesolutions in #​54576
• [11.x] doesntContain on eloquent collection by @​gdebrauwer in #​54567
• [11.x] Allow batching a Closure by @​cosmastech in #​54587

v11.42.0

Compare Source

• docs: clarify use of hasOption() by @​jezmck in #​54415
• Test Improvements by @​crynobone in #​54427
• [11.x] add Generics to Paginator's ArrayAccess methods by @​taka-oyama in #​54428
• [11.x] Fix docblocks for code that calls enum_value() by @​cosmastech in #​54432
• [11.x] Fix assertContent on laravel test that respond with Symfony Response Object by @​tben in #​54467
• [11.x] Add Higher Order Messaging support for last by @​fernandokbs in #​54459
• [11.x] Database testing traits has impact to artisan calls by @​nivseb in #​54458
• [11.x] Add precision to Number::currency() by @​benjibee in #​54456
• [11.x] Add generics to lazy queries by @​axlon in #​54453
• [11.x] Merge in eager loads from nested where queries by @​ollieread in #​54455
• [11.x] Fluent numeric validation by @​xoesae in #​54425
• [11.x] Fix casts + withAttributes by @​tontonsb in #​54422
• [11.x] Ensure batched jobs are actually batchable by @​josepostiga in #​54442
• [11.x] Update PHPStan to 2.x by @​tamiroh in #​53716
• Test Improvements by @​crynobone in #​54475
• Add relative date shorthands to Query Builder by @​jasonmccreary in #​54408
• [11.x] feat: add better closure typing in QueriesRelationships by @​calebdw in #​54452
• [11.x] Fix the method explodeExplicitRule to support Numeric Validation by @​mrvipchien in #​54478
• Add Builder On Clone callback support by @​ralphjsmit in #​54477
• Support relative paths to SQLite databases by @​LukeTowers in #​54480
• [11.x] Where doesnt have nullable morph by @​liamduckett in #​54363
• [11.x] Add the ability to skip migrations within tests by @​cosmastech in #​54441
• Queue Integration Tests with Redis Cluster by @​vadimonus in #​54218
• [11.x] Optimize PendingBatch@ensureJobIsBatchable by @​cosmastech in #​54485
• [11.x] Supports PHPUnit 12.0 by @​crynobone in #​54316
• [11.x] Fix spelling in comment by @​lorenzolosa in #​54503
• [11.x] Add Context "missing" method by @​vbergerondev in #​54499
• [11.x] feat: add generics to Container methods by @​MrMeshok in #​54543
• [11.x] Add a setAssetRoot method to the UrlGenerator class by @​ollieread in #​54530
• [11.x] Handle Null Check in Str::startsWith and Str::endsWith by @​onairmarc in #​54520
• [11.x] Improve check for relative sqlite databases by @​LukeTowers in #​54513
• Revert "[11.x] Use Str::wrap() instead of nesting Str::start() inside Str::finish()" by @​shaedrich in #​54528
• [11.x] Job Batches with Redis Cluster by @​vadimonus in #​54522
• [11.x] fix: specify type of TClass generic in Container by @​MrMeshok in #​54545
• [11.x] Improve docblocks for morph maps in Relation by @​cosmastech in #​54560
• docs: fix return type documentation for initializeSignal method by @​nzsys in #​54553
• [11.x] Add support for middlewares & failed handler on broadcastable events by @​Jacobs63 in #​54562
• [11.x] json assertions on streamed content by @​gdebrauwer in #​54565

v11.41.3

Compare Source

v11.41.2

Compare Source

v11.41.1

Compare Source

• [11.x] Allow secret key Updates Without Bringing the Site Up by @​rashidlaasri in #​54389
• [11.x] use Auth::userResolver when resolving the authenticated user by @​rodrigopedra in #​54382
• [11.x] Add Macroable and fill() to Support\Fluent by @​stevebauman in #​54404
• [11.x] Optimize pluck() to avoid redundant column selection by @​zsocakave in #​54396
• [11.x] Optimize loadTranslationsFrom function for simplicity and clarity by @​selcukcukur in #​54407
• feat: gracefully handle command not found exception - avoid creds exposure by @​chinmaypurav in #​54406
• Handle pooled Postgres connections for Laravel Cloud by @​taylorotwell in #​54346

v11.41.0

Compare Source

• [11.x] more pint rules by @​browner12 in #​54332
• [11.x] Allow TestComponent to be macroable by @​ziadoz in #​54359
• [11.x] Fix validator return fails if using different date formats by @​mrvipchien in #​54350
• [11.x] fix the method explodeExplicitRule to support Customizable Date Validation by @​mrvipchien in #​54353
• [11.x] Adds the addPath() method to the Lang facade and the Translator class. by @​selcukcukur in #​54347
• Improve: add fire failed event at once by @​cesarMtorres in #​54376
• [11.x] feat: Create missing pgsql database when running migrations by @​mathiasgrimm in #​54314
• [11.x] Proper rate limiter fix with phpredis serialization/compression enabled by @​TheLevti in #​54372
• Update Stringable Rule testcases by @​mrvipchien in #​54387
• [11.x] Use Date facade for storing the password confirmation timestamp by @​crynobone in #​54383

v11.40.0

Compare Source

• draft: fix: Don't release lock for ShouldBeUniqueUntilProcessing Job that gets released by @​mathiasgrimm in #​54261
• [11.x] Add Laravel Pint by @​browner12 in #​53835
• Add self to HasCollection type param in Model by @​thena-seer-sfg in #​54311
• [11.x] Add pending attributes by @​tontonsb in #​53720
• fix: schedule:test on commands using runInBackground by @​dallyger in #​54321
• [11.x] Helper methods to dump responses of the Laravel HTTP client by @​morrislaptop in #​54317
• Add support for cursor editor in ResolvesDumpSource by @​tuxfamily in #​54318
• [11.x] Add Customizable Date Validation Rule with Flexible Date Constraints by @​michaelnabil230 in #​53465
• [11.x] start syncing StyleCI rules to Pint by @​browner12 in #​54326
• [11.x] apply our new Pint rule to the /tests directory by @​browner12 in #​54325
• fix(Collection::pop()): count < 1 by @​artumi-richard in #​54340
• Patch CVE-2025-22145 in nesbot/carbon package by @​dennis-koster in #​54335
• [11.x] Prevent unintended serialization and compression by @​JeppeKnockaert in #​54337
• [11.x] Pass collection of models to whereMorphedTo / whereNotMorphedTo by @​gdebrauwer in #​54324

v11.39.1

Compare Source

• fix: collapseWithKeys on empty collection by @​benatoff in #​54290
• fix(broadcaster): incorrect channel matching because of dot in pattern by @​021-projects in #​54303
• [11.x] Use constructor property promotion for database query condition expression by @​shaedrich in #​54302
• [11.x] Add IncrementOrCreate method to Eloquent by @​carloeusebi in #​54300
• [11.x] Add additional test cases for Arr helper to enhance coverage by @​mrvipchien in #​54298
• Bump vite from 5.2.14 to 5.4.12 in /src/Illuminate/Foundation/resources/exceptions/renderer by @​dependabot in #​54296
• [11.x] Fix unique jobs that have a uniqueVia method by @​DougSisk in #​54294

v11.39.0

Compare Source

• [11.x] Replace duplicate ValidatedInput functions with InteractsWithData trait by @​stevebauman in #​54208
• [11.x] Improve Email validation rule custom translation messages by @​SanderMuller in #​54202
• [11.x] Fix deprecation warnings in optimize:clear and optimize by @​cosmastech in #​54197
• [11.x] Add support for phpredis backoff and max retry config options by @​TheLevti in #​54191
• Introduces UseFactory attribute by @​christopherarter in #​54065
• [11.x] Set class-string generic on UseFactory by @​cosmastech in #​54215
• [11.x] switch LazyCollection::make() for new LazyCollection() by @​AhmedAlaa4611 in #​54216
• support style file name hashes with query strings in manifest by @​newapx in #​54219
• [11.x] Solidify Rule::email() tests by @​SanderMuller in #​54226
• [11.x] Fix line-ending mismatch in CliDumperTest::testArray and CliDumperTest::testObject by @​AhmedAlaa4611 in #​54222
• Add a report/log option to filesystem exceptions without throwing by @​lotharthesavior in #​54212
• [11.x] Fix Cache component to be aware of phpredis serialization and compression settings by @​TheLevti in #​54221
• [11.x] fix: Forcing DB Session driver to always use the write connection by @​mathiasgrimm in #​54231
• [11.x] Fix line-ending mismatch in BladeComponentTagCompilerTest under Illuminate\Tests\View\Blade by @​AhmedAlaa4611 in #​54233
• [11.x] Fix job not logged in failed_jobs table if timeout occurs within database transaction by @​decaylala in #​54173
• [11.x] Fix unique job lock is not released on model not found exception, lock gets stuck. by @​zackAJ in #​54000
• [11.x] Fix line-ending mismatch on Windows test by @​AhmedAlaa4611 in #​54236
• Added support in DB::prohibitDestructiveCommands to preventing destructive Rollback… by @​hexathos in #​54238
• [11.x] Add applyAfterQueryCallbacks Support to Non-Mutator Cases in pluck Method by @​batinmustu in #​54268
• [11.x] addPath() Allow adding new path for translation loader. by @​selcukcukur in #​54277

v11.38.2

Compare Source

• [11.x] Simplify Codebase by Using qualifyColumn Helper Method by @​SanderMuller in #​54187
• Revert "Add support for missing Postgres connection options" by @​crynobone in #​54195
• Revert "[11.x] Support DB aggregate by group (new methods)" by @​crynobone in #​54196

v11.38.1

Compare Source

• Fix breaking change - Revert "[11.x] Replace string class names with ::class constants" by @​SanderMuller in #​54185
• Add failing test for #​54185 by @​SanderMuller in #​54186

v11.38.0

Compare Source

• Fix offset range in docblock by @​simon-tma in #​54062
• [11.x] Fix breaking change in RefreshDatabase by @​SjorsO in #​54075
• [11.x] Fallback to parent methods on HasUniqueStringIds trait by @​hafezdivandari in #​54096
• [11.x] Adds finally method to pipeline helper by @​nunomaduro in #​54110
• Add support for missing Postgres connection options by @​Maniload in #​54101
• fix: Don't set newLineWritten to true unless verbosity allows output by @​ConnySjoblom in #​54127
• [11.x] Adds support for Attribute return mutators to the Eloquent/Builder pluck method by @​MattBradleyDev in #​54130
• [11.x] Fixes wrong @mixin on SoftDeletes trait by @​nunomaduro in #​54140
• [11.x] Replace string class names with ::class constants by @​panakour in #​54134
• [11.x] fix times() calls by @​browner12 in #​54141
• [11.x] minor readability by @​browner12 in #​54117
• Handles factory=null in ConnectException while recording request-response in PendingRequest by @​StSarc in #​54121
• [11.x] Refine error messages for detecting lost connections (Debian bookworm compatibility) by @​mfn in #​54111
• [11.x] fix: filter vendor paths from registered loaders in Application::inferBasePath by @​calebdw in #​54119
• [11.x] Allow exceptions to the optimize and optimize:clear commands by @​jonerickson in #​54070
• Add action filter to route:list by @​miccehedin in #​54135
• No explicit USE database statement by @​TheLevti in #​54132
• Add support for custom payloads and channels in broadcasting by @​JanneDeVos in #​54099
• [11.x] Add fluent Email validation rule by @​SanderMuller in #​54067
• [11.x] middleware support for specific method in resource routes by @​MrPunyapal in #​53313
• [11.x] Support DB aggregate by group (new methods) by @​GromNaN in #​53679
• Correct return type to match functionality by @​willpower232 in #​54148
• [11.x] Renaming Traveler to Passable and Stops to Pipes by @​mathiasgrimm in #​54142
• [11.x] Add Dispatchable::newPendingDispatch() by @​cosmastech in #​54153
• [11.x] Add FormRequest::array($key) and Fluent::array($key) by @​stevebauman in #​54177
• [11.x] Make methods of HasRelationships generic by @​SanderMuller in #​54174
• [11.x] Make tests pass on Herd by @​SanderMuller in #​54171
• Revert "Fix: Handle mixed-type values in compileInsert" by @​crynobone in #​54169
• [11.x] Fix docblock for PendingDispatch@getJob() by @​cosmastech in #​54158
• pass options to migration events by @​willpower232 in #​54151
• Encode cache values for SQLite with base64 to prevent failing on \0 characters by @​adamkiss in #​54178
• [11.x] Fix invokable validation rule return type by @​axlon in #​54179

v11.37.0

Compare Source

• [11.x] Update Collection::hasAny by @​JeftaAtSiip in #​53963
• [11.x] Update DetectsLostConnections trait by @​holgerk in #​53966
• Fix: (Queue Worker) firing the JobPopped event when $popCallbacks returns null by @​rudenav in #​53962
• [11.x] Add Dumpable trait to Uri by @​nuernbergerA in #​53960
• Fix: Handle mixed-type values in compileInsert by @​alipadron in #​53948
• [11.x] Add $ignoreCase option to Str::is by @​stevebauman in #​53981
• [11.x] Updates component dependencies by @​crynobone in #​53975
• [11.x] Update Uri withoutQuery method to accept string or array input by @​1weiho in #​53973
• [11.x] Fix cached health endpoint not working when in maintenance mode by @​crynobone in #​53974
• Add PHPDoc type hints by @​shaedrich in #​53984
• [11.x] Allow passing bool to facade Http@​preventStrayRequests() by @​cosmastech in #​53992
• [11.x] Use Str::wrap() instead of nesting Str::start() inside Str::finish() by @​shaedrich in #​53987
• Fix day range in docblock by @​timacdonald in #​53985
• [11.x] Fixes Illuminate\Http\Response to output empty string if $content is set to null by @​crynobone in #​53872
• [11.x] Fix/Improve Resend transport response handling by @​markovic-nikola in #​54004
• [11.x] Update View::withErrors() docblock to reflect string parameter support by @​cheack in #​54009
• 11.x improve resend transport response handling - fix by @​markovic-nikola in #​54006
• [11.x] Added new Eloquent methods: whereDoesntHaveRelation, whereMorphDoesntHaveRelation and their variants with OR by @​andrey-helldar in #​53996
• [11.x] Re-refresh the database if the RefreshDatabase transaction was committed by @​SjorsO in #​53997
• [11.x] add assertFailedWith to InteractsWithQueue trait by @​teddy-francfort in #​53980
• Quick doc fix by @​mathiasgrimm in #​54040
• [11.x] Allow using Illuminate\Support\Uri on testing HTTP Requests by @​crynobone in #​54038
• [11.x] Adding tests for Overlapping Routes by @​mathiasgrimm in #​54050
• [11.x] adding tests for null & * key given in data_get by @​jwjenkin in #​54059

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.44%. Comparing base (1e8c04b) to head (a42973f).

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #268   +/-   ##
=========================================
  Coverage     96.44%   96.44%           
  Complexity       44       44           
=========================================
  Files            12       12           
  Lines           225      225           
=========================================
  Hits            217      217           
  Misses            8        8           

Flag	Coverage Δ
pest	96.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.