packagist psalm/plugin-laravel v4.2.0
v4.2.0 - SQL Dump support
on PHP Packagist

5 hours ago

Highlights

Relationship accessors without generics — The plugin now resolves Eloquent relationship property types even when methods lack generic annotations. Previously, $user->posts required @return HasMany<Post, User> to get a precise type. Now the plugin parses the method body AST to extract the related model from $this->hasMany(Post::class), falling back gracefully to bounded types.

Static Query Builder methods on ModelsUser::where(...), User::orderBy(...), and model scopes now resolve with the correct Builder<User> return type, enabling full type inference through query chains starting from the model class.

SQL schema dump support — The plugin now parses php artisan schema:dump output (MySQL, PostgreSQL, SQLite) as a base layer for model attribute discovery. PHP migrations are applied on top, matching Laravel's own resolution order.

🛡️ Security: new taint sinks — Added XSS detection through HtmlString (which bypasses Blade escaping) and path traversal detection through Storage facade methods (put, writeStream, delete, copy, move, etc.).

Features

  • Resolve Eloquent relationship accessors without generic annotations (#502)
  • Resolve static Query\Builder methods and scopes on Model classes (#508)
  • Support SQL schema dumps for Eloquent model attribute discovery (#495)
  • Add stubs for Schema\ColumnDefinition, ForeignIdColumnDefinition, and ForeignKeyDefinition fluent methods (#501)
  • 🛡️ Add taint sink for HtmlString to detect XSS bypass of Blade escaping (#491)
  • 🛡️ Add taint sinks for Storage facade / FilesystemAdapter path traversal detection (#492)

Fixes

  • Process Schema calls in migration helper methods, not just up() (#509)
  • Discover Schema/Blueprint calls inside nested block structures (if/else, try/catch, foreach) (#506)
  • Add missing nullableTimestampsTz() switch case in schema aggregator
  • Narrow count/update/increment/decrement return type to int<0, max> (#499)

Improvements

  • Extract cached hasUserPseudoProperty() helper to reduce redundant storage lookups
  • Add $codebase->progress->debug() to relationship resolution catch blocks for --debug traceability
  • Remove silent constructor catch in findStubFiles() — errors now propagate to the top-level handler

Full Changelog: v4.1.0...v4.2.0

Check out latest releases or
releases around psalm/plugin-laravel v4.2.0

Don't miss a new plugin-laravel release

NewReleases is sending notifications on new releases.

Get notifications