Update dependency laravel/framework to v10 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
laravel/framework (source)	^8 → ^10

GitHub Vulnerability Alerts

CVE-2025-27515

When using wildcard validation to validate a given file or image field array (files.*), a user-crafted malicious request could potentially bypass the validation rules.

---

Release Notes

laravel/framework (laravel/framework)

v10.48.29

Compare Source

v10.48.28

Compare Source

v10.48.27

Compare Source

v10.48.26

Compare Source

• [10.x] Refine error messages for detecting lost connections (Debian bookworm compatibility) by @​mfn in #​53794
• [10.x] Bump minimum league/commonmark by @​crynobone in #​53829
• [10.x] Backport 11.x PHP 8.4 fix for str_getcsv deprecation by @​aka-tpayne in #​54074

v10.48.25

Compare Source

• [10.x] PHP 8.4 Code Compatibility by @​crynobone in #​53612

v10.48.24

Compare Source

v10.48.23

Compare Source

• [10.x] Ensure headers are only attached to illuminate responses by @​timacdonald in #​53019
• [10.x] Fix append and prepend batch to chain by @​Bencute in #​53455

v10.48.22

Compare Source

v10.48.21

Compare Source

• [10.x] Fixes whereDate, whereDay, whereMonth, whereTime, whereYear and whereJsonLength to ignore invalid $operator by @​crynobone in #​52704
• Fix arguments passed to artisan commands that start with 'env' by @​willrowe in #​52748

v10.48.20

Compare Source

• [10.x] fix: prevent casting empty string to array from triggering json error by @​calebdw in #​52415

v10.48.19

Compare Source

• Add compatible query type to Model::resolveRouteBindingQuery by @​sebj54 in #​52339
• [10.x] Fix Factory::afterCreating callable argument type by @​villfa in #​52335
• [10.x] backport #​52204 by @​calebdw in #​52389
• [10.x] In MySQL, harvest last insert ID immediately after query is executed by @​piurafunk in #​52390

v10.48.18

Compare Source

• [10.x] backport #​52188 by @​calebdw in #​52293
• [10.x] Fix runPaginationCountQuery not working properly for union queries by @​chinleung in #​52314

v10.48.17

Compare Source

• [10.x] Fix PHP_CLI_SERVER_WORKERS warning by suppressing it by @​pelomedusa in #​52094
• [10.x] Backport #​51615 by @​GrahamCampbell in #​52215

v10.48.16

Compare Source

• [10.x] Fix Http::retry so that throw is respected for call signature Http::retry([1,2], throw: false) by @​paulyoungnb in #​52002
• [10.x] Set application_name and character set as PostgreSQL DSN string by @​sunaoka in #​51985

v10.48.15

Compare Source

• [10.x] Set previous exception on HttpResponseException by @​hafezdivandari in #​51986

v10.48.14

Compare Source

• [10.x] Fixes unable to call another command as a initialized instance of Command class by @​crynobone in #​51824
• [10.x] fix handle shift() on an empty collection by @​Treggats in #​51841
• [10.x] Ensureschema:dump will dump the migrations table only if it exists by @​NickSdot in #​51827

v10.48.13

Compare Source

• [10.x] Fix typo in return comment of createSesTransport method by @​zds-s in #​51688
• [10.x] Fix collection shift less than one item by @​faissaloux in #​51686
• [10.x] Turn Enumerable unless() $callback parameter optional by @​faissaloux in #​51701
• Revert "[10.x] Turn Enumerable unless() $callback parameter optional" by @​taylorotwell in #​51707

v10.48.12

Compare Source

• [10.x] Fix typo by @​Issei0804-ie in #​51535
• [10.x] Fix SQL Server detection in database store by @​staudenmeir in #​51547
• [10.x] - Fix batch list loading in Horizon when serialization error by @​jeffortegad in #​51551
• [10.x] Fixes explicit route binding with BackedEnum by @​CAAHS in #​51586

v10.48.11

Compare Source

• [10.x] Backport: Fix SesV2Transport to use correct EmailTags argument by @​Tietew in #​51352
• [10.x] Fix PHPDoc typo by @​staudenmeir in #​51390
• [10.x] Fix apa on non ASCII characters by @​faissaloux in #​51428
• [10.x] Fixes view engine resolvers leaking memory by @​nunomaduro in #​51450
• [10.x] Do not use app() Foundation helper on ViewServiceProvider by @​rodrigopedra in #​51522

v10.48.10

Compare Source

• [10.x] Fix typo in signed URL tampering tests by @​Krisell in #​51238
• [10.x] Add "Server has gone away" to DetectsLostConnection by @​Jubeki in #​51241
• [10.x] Fix support for the LARAVEL_STORAGE_PATH env var (#​51238) by @​dunglas in #​51243

v10.48.9

Compare Source

• [10.x] Binding order is incorrect when using cursor paginate with multiple unions with a where by @​thijsvdanker in #​50884
• [10.x] Fix cursor paginate with union and column alias by @​thijsvdanker in #​50882
• [10.x] Address Null Parameter Deprecations in UrlGenerator by @​aldobarr in #​51148

v10.48.8

Compare Source

• [10.x] Fix error when using orderByRaw() in query before using cursorPaginate() by @​axlon in #​51023
• [10.x] Database layer fixes by @​saadsidqui in #​49787

v10.48.7

Compare Source

• Fix more query builder methods by @​taylorotwell in 95ef230

v10.48.6

Compare Source

• [10.x] Added eachById and chunkByIdDesc to BelongsToMany by @​lonnylot in #​50991

v10.48.5

Compare Source

• [10.x] Prevent Redis connection error report flood on queue worker by @​kasus in #​50812
• [10.x] Laravel 10x optional withSize for hasTable by @​apspan in #​50888
• [10.x] Add serializeAndRestore() to NotificationFake by @​dbpolito in #​50935

v10.48.4

Compare Source

• [10.x] Fix Collection::concat() return type by @​axlon in #​50669
• [10.x] Fix command alias registration and usage by @​crynobone in #​50695

v10.48.3

Compare Source

• Re-tag version

v10.48.2

Compare Source

• [10.x] Update mockery conflict to just disallow the broken version by @​GrahamCampbell in #​50472
• [10.x] Conflict with specific release by @​driesvints in #​50473
• [10.x] Fix for attributes being escaped on Dynamic Blade Components by @​pascalbaljet in #​50471
• [10.x] Revert PR 50403 by @​driesvints in #​50482

v10.48.1

Compare Source

• [10.x] Add conflict for Mockery v1.6.8 by @​driesvints in #​50468

v10.48.0

Compare Source

• fix: allow null, string and string array as allowed tags by @​maartenpaauw in #​50409
• [10.x] Allow Expression at more places in Query Builder by @​pascalbaljet in #​50402
• [10.x] Sleep syncing by @​timacdonald in #​50392
• [10.x] Cleaning Trait on multi-lines by @​gcazin in #​50413
• fix: incomplete type for Builder::from property by @​sebj54 in #​50426
• [10.x] After commit callback throwing an exception causes broken transactions afterwards by @​oprypkhantc in #​50423
• [10.x] Anonymous component bound attribute values are evaluated twice by @​danharrin in #​50403
• [10.x] Fix for sortByDesc ignoring multiple attributes by @​TWithers in #​50431
• [10.x] Allow sync with carbon to be set from fake method by @​abenerd in #​50450
• [10.x] Improves Illuminate\Mail\Mailables\Envelope docblock by @​crynobone in #​50448
• [10.x] Incorrect return in FileSystem.php by @​gcazin in #​50459
• [10.x] fix return types by @​imahmood in #​50461
• fix: phpstan issue - right side of || always false by @​Carnicero90 in #​50453

v10.47.0

Compare Source

• [10.x] Allow for relation key to be an enum by @​AJenbo in #​50311
• FIx for "empty" strings passed to Str::apa() by @​tiagof in #​50335
• [10.x] Fixed header mail text component to not use markdown by @​dmyers in #​50332
• [10.x] Add test for the "empty strings in Str::apa()" fix by @​osbre in #​50340
• [10.x] Fix the cache cannot expire cache with 0 TTL by @​kayw-geek in #​50359
• [10.x] Add fail on timeout to queue listener by @​saeedhosseiinii in #​50352
• [10.x] Support sort option flags on sortByMany Collections by @​TWithers in #​50269
• [10.x] Add whereAll and whereAny methods to the query builder by @​musiermoore in #​50344
• [10.x] Adds Reverb broadcasting driver by @​joedixon in #​50088

v10.46.0

Compare Source

• [10.x] Ensure lazy-loading for trashed morphTo relations works by @​nuernbergerA in #​50176
• [10.x] Arr::select not working when $keys is a string by @​Sicklou in #​50169
• [10.x] Added passing loaded relationship to value callback by @​dkulyk in #​50167
• [10.x] Fix optional charset and collation when creating database by @​GrahamCampbell in #​50168
• [10.x] update doc block in PendingProcess.php by @​saMahmoudzadeh in #​50198
• [10.x] Fix Accepting nullable Parameters, updated doc block, and null pointer exception handling in batchable trait by @​saMahmoudzadeh in #​50209
• Make GuardsAttributes fillable property DocBlock more specific by @​liamduckett in #​50229
• [10.x] Add only and except methods to Enum validation rule by @​Anton5360 in #​50226
• [10.x] Fixes on nesting operations performed while applying scopes. by @​Guilhem-DELAITRE in #​50207
• [10.x] Custom RateLimiter increase by @​khepin in #​50197
• [10.x] Add Lateral Join to Query Builder by @​Bakke in #​50050
• [10.x] Update return type by @​AmirRezaM75 in #​50252
• [10.x] Fix dockblock by @​michaelnabil230 in #​50259
• [10.x] Add Conditionable in enum rule by @​michaelnabil230 in #​50257
• [10.x] Update Facade::$app to nullable by @​villfa in #​50260
• [10.x] Truncate sqlite table name with prefix by @​kitloong in #​50251
• Correction comment for Str::orderedUuid() - https://github.com/larave… by @​wq9578 in #​50268

v10.45.1

Compare Source

• Fix typehint for ResetPassword::toMailUsing() by @​KKSzymanowski in #​50163
• [10.x] Fix Process::fake() never matching multi-line commands by @​SjorsO in #​50164

v10.45.0

Compare Source

• [10.x] Update Stringable phpdoc by @​milwad-dev in #​50075
• [10.x] Allow Collection::select() to work on ArrayAccess by @​axlon in #​50072
• [10.x] Add before to the PendingBatch by @​xiCO2k in #​50058
• [10.x] Adjust rules call sequence by @​driesvints in #​50084
• [10.x] Fixes Illuminate\Support\Str::fromBase64() return type by @​SamAsEnd in #​50108
• [10.x] Actually fix fromBase64 return type by @​GrahamCampbell in #​50113
• [10.x] Fix warning and deprecation for Str::api by @​driesvints in #​50114
• [10.x] Mark model instanse as not exists on deleting MorphPivot relation. by @​dkulyk in #​50135
• [10.x] Adds Tappable and Conditionable to Relation class by @​DarkGhostHunter in #​50124
• [10.x] Added getQualifiedMorphTypeName to MorphToMany by @​dkulyk in #​50153

v10.44.0

Compare Source

• [10.x] Fix empty request for HTTP connection exception by @​driesvints in #​49924
• [10.x] Add Collection::select() method by @​morrislaptop in #​49845
• [10.x] Refactor getPreviousUrlFromSession method in UrlGenerator by @​milwad-dev in #​49944
• [10.x] Add POSIX compliant cleanup to artisan serve by @​Tofandel in #​49943
• [10.x] Fix infinite loop when global scopes query contains aggregates by @​mateusjunges in #​49972
• [10.x] Adds PHPUnit 11 as conflict by @​nunomaduro in #​49957
• Revert "[10.x] fix Before/After validation rules" by @​taylorotwell in #​50013
• [10.x] Fix the phpdoc for replaceMatches in Str and Stringable helpers by @​joke2k in #​49990
• [10.x] Added setAbly() method for AblyBroadcaster by @​Rijoanul-Shanto in #​49981
• [10.x] Fix in appendExceptionToException method exception type check by @​t1nkl in #​49958
• [10.x] DB command: add sqlcmd -C flag when 'trust_server_certificate' is set by @​hulkur in #​49952
• Allows Setup and Teardown actions to be reused in alternative TestCase for Laravel by @​crynobone in #​49973
• [10.x] Add toBase64() and fromBase64() methods to Stringable and Str classes by @​mtownsend5512 in #​49984
• [10.x] Allows to defer resolving pcntl only if it's available by @​crynobone in #​50024
• [10.x] Fixes missing Throwable import and handle if originalExceptionHandler or originalDeprecationHandler property isn't used by alternative TestCase by @​crynobone in #​50021
• [10.x] Type hinting for conditional validation rules by @​lorenzolosa in #​50017
• [10.x] Introduce new Arr::take() helper by @​ryangjchandler in #​50015
• [10.x] Improved Handling of Empty Component Slots with HTML Comments or Line Breaks by @​comes in #​49966
• [10.x] Introduce Observe attribute for models by @​emargareten in #​49843
• [10.x] Add ScopedBy attribute for models by @​emargareten in #​50034
• [10.x] Update reserved names in GeneratorCommand by @​xurshudyan in #​50043
• [10.x] fix Validator::validated get nullable array by @​helitik in #​50056
• [10.x] Pass Herd specific env variables to "artisan serve" by @​mpociot in #​50069
• Remove regex case insensitivity modifier in UUID detection to speed it up slightly by @​maximal in #​50067
• [10.x] HTTP retry method can accept array as first param by @​me-shaon in #​50064
• [10.x] Fix DB::afterCommit() broken in tests using DatabaseTransactions by @​oprypkhantc in #​50068

v10.43.0

Compare Source

• [10.x] Add storage:unlink command by @​salkovmx in #​49795
• [10.x] Unify \Illuminate\Log\LogManager method definition comments with \Psr\Logger\Interface by @​eusonlito in #​49805
• [10.x] class-name string argument for global scopes by @​emargareten in #​49802
• [10.x] Add hasIndex() and minor Schema enhancements by @​hafezdivandari in #​49796
• [10.x] Do not touch BelongsToMany relation when using withoutTouching by @​mateusjunges in #​49798
• [10.x] Check properties on mailables are initialized before sharing with the view by @​j3j5 in #​49813
• [10.x] Remove duplicate actions/checkout from queue workflow by @​Jubeki in #​49828
• [10.x] Add insertOrIgnoreUsing for Eloquent by @​trovster in #​49827
• [10.x] Make hasIndex() Order-sensitive by @​hafezdivandari in #​49840
• [10.x] Release action by @​driesvints in #​49838
• [10.x] Add MariaDb1060Platform by @​driesvints in #​49848
• [10.x] Unified Pivot and Model Doc Block $guarded by @​eusonlito in #​49851
• [10.x] Introducing beforeStartingTransaction callback and use it in LazilyRefreshDatabase by @​pascalbaljet in #​49853
• [10.x] fix password max validation message by @​MrPunyapal in #​49861
• [10.x] Fix validation message used for max file size by @​mateusjunges in #​49879
• Update README.md by @​foremtehan in #​49878
• [10.x] Adds FormRequest@getRules() method by @​cosmastech in #​49860
• [10.x] add addGlobalScopes method by @​emargareten in #​49880
• [10.x] Allow brick/math 0.12 by @​LogicSatinn in #​49883
• [10.x] Add support for streamed JSON Response by @​pelmered in #​49873
• [10.x] Using the native fopen exception in LockableFile.php by @​eusonlito in #​49895
• [10.x] Fix LazilyRefreshDatabase when testing artisan commands by @​iamgergo in #​49914
• [10.x] Fix expressions in with-functions doing aggregates by @​tpetry in #​49912
• [10.x] Fix redis tag entries never becoming stale if cache ttl is past time by @​jagers in #​49864
• [10.x] Fix - The Translator may incorrectly report the locale of a missing translation key by @​VicGUTT in #​49900
• [10.x] fix Before/After validation rules by @​MrPunyapal in #​49871

v10.42.0

Compare Source

• [10.x] Switch to hash_equals in File::hasSameHash() by @​simonhamp in #​49721
• [10.x] fix Rule::unless for callable $condition by @​dbakan in #​49726
• [10.x] Adds JobQueueing event by @​dmason30 in #​49722
• [10.x] Fix decoding issue in MailLogTransport by @​rojtjo in #​49727
• [10.x] Implement "max" validation rule for passwords by @​angelej in #​49739
• [10.x] Add multiple channels/routes to AnonymousNotifiable at once by @​iamgergo in #​49745
• [10.x] Sort service providers alphabetically by @​buismaarten in #​49762
• [10.x] Global default options for the http factory by @​timacdonald in #​49767
• [10.x] Only use Carbon if accessed from Laravel or also uses illuminate/support by @​crynobone in #​49772
• [10.x] Add Str::unwrap by @​stevebauman in #​49779
• [10.x] Allow Uuid and Ulid in Carbon::createFromId() by @​kylekatarnls in #​49783
• [10.x] Test Improvements by @​crynobone in #​49785

v10.41.0

Compare Source

• [10.x] Add a threshold parameter to the Number::spell helper by @​caendesilva in #​49610
• Revert "[10.x] Make ComponentAttributeBag Arrayable" by @​luanfreitasdev in #​49623
• [10.x] Fix return value and docblock by @​dwightwatson in #​49627
• [10.x] Add an option to specify the default path to the models directory for php artisan model:prune by @​dbhynds in #​49617
• [10.x] Allow job chains to be conditionally dispatched by @​fjarrett in #​49624
• [10.x] Add test for existing empty test by @​lioneaglesolutions in #​49632
• [10.x] Add additional context to Mailable assertion messages by @​lioneaglesolutions in #​49631
• [10.x] Allow job batches to be conditionally dispatched by @​fjarrett in #​49639
• [10.x] Revert parameter name change by @​timacdonald in #​49659
• [10.x] Printing Name of The Method that Calls ensureIntlExtensionIsInstalled in Number class. by @​devajmeireles in #​49660
• [10.x] Update pagination tailwind.blade.php by @​anasmorahhib in #​49665
• [10.x] feat: add base argument to Stringable->toInteger() by @​adamczykpiotr in #​49670
• [10.x]: Remove unused class ShouldBeUnique when make a job by @​Kenini1805 in #​49669
• [10.x] Add tests for Eloquent methods by @​milwad-dev in #​49673
• Implement draft workflow by @​driesvints in #​49683
• [10.x] Fixing Types, Word and Returns of Numberclass. by @​devajmeireles in #​49681
• [10.x] Test Improvements by @​crynobone in #​49679
• [10.x] Officially support floats in trans_choice and Translator::choice by @​philbates35 in #​49693
• [10.x] Use static function by @​michaelnabil230 in #​49696
• [10.x] Revert "[10.x] Improve numeric comparison for custom casts" by @​driesvints in #​49702
• [10.x] Add exit code to queue:clear, and queue:forget commands by @​bytestream in #​49707
• [10.x] Allow StreamInterface as raw HTTP Client body by @​janolivermr in #​49705

v10.40.0

Compare Source

• [10.x] Model::preventAccessingMissingAttributes() raises exception for enums & primitive castable attributes that were not retrieved by @​cosmastech in #​49480
• [10.x] Include system versioned tables for MariaDB by @​hafezdivandari in #​49509
• [10.x] Fixes the Arr::dot() method to properly handle indexes array by @​kayw-geek in #​49507
• [10.x] Expand Gate::allows & Gate::denies signature by @​antonkomarev in #​49503
• [10.x] Improve numeric comparison for custom casts by @​imahmood in #​49504
• [10.x] Add session except method by @​xurshudyan in #​49520
• [10.x] Add Number::clamp by @​jbrooksuk in #​49512
• [10.x] Fix Schedule test by @​michaelnabil230 in #​49538
• [10.x] Use correct format of date by @​buismaarten in #​49541
• [10.x] Clean Arr by @​michaelnabil230 in #​49530
• [10.x] Make ComponentAttributeBag Arrayable by @​iamgergo in #​49524
• [10.x] Fix whenAggregated when default is not specified by @​lovePizza in #​49521
• [10.x] Update AsArrayObject.php to use ARRAY_AS_PROPS flag by @​pintend in #​49534
• [10.x] Remove invalid RedisCluster::client() call by @​tillkruss in #​49560
• [10.x] Remove unused code from PhpRedisConnector by @​tillkruss in #​49559
• [10.x] Flush about command during test runs by @​timacdonald in #​49557
• [10.x] Fix parentOfParameter method by @​iamgergo in #​49548
• [10.x] Make the Schema Builder macroable by @​kevinb1989 in #​49547
• [10.x] Remove unused code from tests by @​imahmood in #​49566
• [10.x] Update Query/Builder.php $columns typehint by @​Grldk in #​49563
• [10.x] Add assertViewEmpty to TestView by @​dwightwatson in #​49558
• [10.x] Update tailwind.blade.php for dark mode by @​sabinchacko03 in #​49515
• [10.x] Fix deprecation with null value in cache FileStore by @​driesvints in #​49578
• [10.x] Allow Vite asset path customization by @​timacdonald in #​49437
• [10.x] Type hinting of the second parameter of date- and time-related where*() methods of Illuminate\Database\Query\Builder by @​lorenzolosa in #​49599
• [10.x] Fix Stringable::convertCase() return type by @​vaites in #​49590
• Allow \Blade::stringable() to be called on native Iterables by @​tsjason in #​49591
• [10.x] Refactor time handling using InteractsWithTime trait method by @​xurshudyan in #​49601
• [10.x] Add assertCount test helper by @​xurshudyan in #​49609
• [10.x] Ability to establish connection without using Config Repository by @​deleugpn in #​49527
• [10.x] Add APA style title helper by @​hotmeteor in #​49572
• [10.x] Fix usage of alternatives in error output by @​Mrjavaci in #​49614
• [10.x] Use locks for queue job popping for PlanetScale's MySQL-compatible Vitess 19 engine by @​crynobone in #​49561

v10.39.0

Compare Source

• [9.x] Support for phpredis 6.0.0 by @​MichalHubatka in #​48380
• [10.x] Dynamic maxTries for queued jobs by @​mechelon in #​49473
• [10.x] Avoid TypeError when using json validation rule when PHP < 8.3 by @​Xint0 in #​49474
• [10.x] Fix use statement compilation in Blade templates by @​MrPunyapal in #​49479
• [10.x] Allow testing prompts validation by @​cerbero90 in #​49447
• [10.x] Add 'Roundrobin' Symfony mailer transport driver by @​me-shaon in #​49435

v10.38.2

Compare Source

• [10.x] Add conflict for doctrine/dbal:^4.0 to illuminate/database by @​crynobone in #​49456
• [10.x] Simplify Arr::dot by @​bastien-phi in #​49461
• [10.x] Illuminate\Filesystem\join_paths(): Argument #​2 must be of type string, null given by @​tylernathanreed in #​49467
• [10.x] Allow deprecation logging in tests by @​timacdonald in #​49457
• [10.x] Fix missing Validation rules not working with nested array by @​aabadawy in #​49449

v10.38.1

Compare Source

• [10.x] Adds support for parse callbacks from anonymous classes by @​nunomaduro in #​49432
• Revert "[10.x] Drop the primary key if it exists when adding a new primary key" by @​taylorotwell in #​49448
• [10.x] Fix installing DBAL on a fresh app by @​timacdonald in #​49438
• [10.x] Add method to create request by @​dododedodonl in #​49446
• [10.x] Move Illuminate\Foundation\Application::joinPaths() to Illuminate\Filesystem\join_paths() by @​crynobone in #​49433

v10.38.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.