Patch release: fewer false positives on Laravel's Application contract and uploaded files, plus a simpler (but more powerful and secure) generated CI workflow added via psalm-laravel add ci.
Fixes
- Resolve concrete-only
Applicationmethods (isProduction(),isLocal(),path(), ...) when the receiver is typed on theContracts\Foundation\Applicationinterface, eliminating falseUndefinedInterfaceMethodonapp(),ServiceProvider::$app, andCommand::$laravel(#1141) - 🛡️ Stop false
TaintedFile/TaintedSSRFonUploadedFilereads: its only string coercion is the server-controlled temp path, while the user-controlled accessors (contents, client name, MIME type) stay tainted (#1136) - Simplify the generated GitHub Actions workflow to a single Psalm job (Psalm 7 runs taint analysis by default) and add CLI-first CI docs (#1132)
Full Changelog: v4.14.1...v4.14.2