Digging Code
Your weekly roundup of Laravel news, packages, and community updates
From the Laravel Community
Axios versions 1.14.1 and 0.30.4 were compromised on npm with a remote access trojan embedded in a postinstall script. In response, Laravel took proactive measures to help protect the community from this supply chain attack.
Watch the tutorial:
- X: https://x.com/i/status/2039348575268712448
Source:
- X: https://x.com/laravelphp/status/2038979822886723953
Laravel 13.2.0 introduces expressive model attributes, enabling you to configure model behavior declaratively at the class level with greater clarity and less boilerplate.
Read more:
- Laravel News: https://laravel-news.com/laravel-13-2-0
Debugbar v4.2.0 is released with a new Boost skill to enhance your debugging experience.
Read more:
- Laravel News: https://laravel-news.com/debugbar-releases-v420-and-add-a-new-boost-skill
The Laravel team explains how they reduced Laravel Cloud load times by 60% using Nightwatch for performance monitoring.
Read more:
- Laravel Blog: https://laravel.com/blog/cutting-laravel-cloud-load-times-by-60-with-nightwatch
Laravel now includes Teams support across all Starter Kits. Update the Laravel installer to start with Teams out of the box.
Source:
- X: https://x.com/wendell_adriel/status/2037501436838211808
Nuno Maduro and Aaron Francis explore practical approaches to integrating AI capabilities directly into Laravel applications, focusing on real-world use cases and implementation patterns.
Watch the tutorial:
- YouTube: https://youtu.be/_78-xwTyQeE?si=F5nbdoETNkOhuAre
Nuno Maduro unveils a new PHP testing tool aimed at making test writing faster and more expressive.
Source:
- X: https://x.com/enunomaduro/status/2039341506650120704
Trending Dev Packages
A lightweight Xdebug alternative built for speed — easier to set up with minimal performance overhead.
Read more:
- Laravel News: https://laravel-news.com/php-debugger-a-lightweight-xdebug-alternative-built-for-speed
Around the Dev Community
A compromised npm maintainer account (@jasonsaayman) was used to publish two malicious versions of the widely used Axios HTTP client — 1.14.1 (tagged latest) and 0.30.4 (tagged legacy). As a result, a default npm install axios could resolve to a backdoored package.
Read more:
- Elastic: https://elastic.co/security-labs/axios-one-rat-to-rule-them-all
- Step Security: https://stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Claude Code’s source was exposed via a .map sourcemap file included in their npm package.
Read more:
- Engineer’s Codex: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code
- WaveSpeed: https://wavespeed.ai/blog/posts/what-is-claw-code
However, as Boris Cherny clarified, this was a developer misconfiguration, not an issue with the tooling itself.
Sources:
- X: https://x.com/bcherny/status/2039168928145109343
- X: https://x.com/bcherny/status/2039210700657307889
A quick search reveals multiple leaked copies, with one of the most circulated versions rewritten in Python under the name Claw Code
- GitHub: https://github.com/ultraworkers/claw-code
New Claude features and updates announced, covering expanded capabilities and improved developer tooling.
Sources:
Ready to dive deeper?
Join the CommunityYou're receiving this because you subscribed to Digging Code.