psalm/plugin-laravel v4.5.0

on PHP Packagist

What's Changed

Three new opt-in rules, expanded taint coverage, and fewer false positives across the board (focus on __() and trans()).

New Rules

• MissingView: Detect missing Blade view files in view() and View::make() calls (#579) @alies-dev
• ModelMakeDiscouraged: Detect undefined translation keys in __() and trans() calls (#595) @alies-dev
• MissingTranslation: Warn against Model::make() in favor of new Model() @alies-dev

Type Improvements

• Narrow __() and trans() return type to string|array (was mixed) (#592) @alies-dev
• Narrow __() return to string when the translation key is known to exist @alies-dev
• Suppress false-positive MissingTemplateParam on HasFactory trait (#517) @alies-dev
• Skip method forwarding for methods defined directly on Model (#498) @alies-dev
• Add missing implements clauses to 15 stubs (#615) @alies-dev
• Fix morphTo stub to bypass $this issue in generics @alies-dev
• Fix morphToMany/morphedByMany signatures @alies-dev
• Add @return static to Stringable stub methods @alies-dev

Security (Taint Analysis)

• 🛡️ Add @psalm-taint-source input for Route parameter methods (#608) @alies-dev
• 🛡️ Add taint sinks for Redis eval/executeRaw (Lua injection) @alies-dev
• 🛡️ Add header taint sinks for CookieJar methods @alies-dev
• 🛡️ Add $path/$domain sinks to Cookie::expire() and forget() @alies-dev
• 🛡️ Add taint flow tracking through Str::of(), str(), and Stringable @alies-dev
• 🛡️ Mark Hash::make() and bcrypt() as @psalm-taint-escape system_secret @alies-dev

Benchmark

Tested against 10 real-world Laravel apps (bagisto, coolify, monica, pixelfed, solidtime, unit3d, vito, and others). Combined results vs v4.4.0:

Full Changelog: v4.4.0...v4.5.0