Laravel 5.6 Upgrade Guide

Upgrading To 5.6.30 From 5.6 (Security Release)

Laravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic, so please read the following notes carefully when upgrading your application.

This vulnerability may only be exploited if your application encryption key (APP_KEY environment variable) has been accessed by a malicious user. Typically, it is not possible for users of your application to gain access to this value. However, ex-employees that had access to the encryption key may be able to use the key to attack your applications. If you have any reason to believe your encryption key is in the hands of a malicious party, you should always rotate the key to a new value.

Cookie Serialization

Laravel 5.6.30 disables all serialization / unserialization of cookie values. Since all Laravel cookies are encrypted and signed, cookie values are typically considered safe from client tampering. However, if your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.

Disabling serialization on all cookie values will invalidate all of your application's sessions and users will need to log into the application again. In addition, any other encrypted cookies your application is setting will have invalid values. For this reason, you may wish to add additional logic to your application to validate that your custom cookie values match an expected list of values; otherwise, you should discard them.

Configuring Cookie Serialization

Since this vulnerability is not able to be exploited without access to your application's encryption key, we have chosen to provide a way to re-enable encrypted cookie serialization while you make your application compatible with these changes. To enable / disable cookie serialization, you may change the static serialize property of the App\Http\Middleware\EncryptCookies middleware:

/**
 * Indicates if cookies should be serialized.
 *
 * @var bool
 */
protected static $serialize = true;

Note: When encrypted cookie serialization is enabled, your application will be vulnerable to attack if its encryption key is accessed by a malicious party. If you believe your key may be in the hands of a malicious party, you should rotate the key to a new value before enabling encrypted cookie serialization.

Dusk 4.0.0

Dusk 4.0.0 has been released and does not serialize cookies. If you choose to enable cookie serialization, you should continue to use Dusk 3.0.0. Otherwise, you should upgrade to Dusk 4.0.0.

Passport 6.0.7

Passport 6.0.7 has been released with a new Laravel\Passport\Passport::withoutCookieSerialization() method. Once you have disabled cookie serialization, you should call this method within your application's AppServiceProvider.

Upgrading To 5.6.0 From 5.5

Estimated Upgrade Time: 10 - 30 Minutes

Note: We attempt to document every possible breaking change. Since some of these breaking changes are in obscure parts of the framework only a portion of these changes may actually affect your application.

PHP

Laravel 5.6 requires PHP 7.1.3 or higher.

Updating Dependencies

Update your laravel/framework dependency to 5.6.* and your fideloper/proxy dependency to ^4.0 in your composer.json file.

In addition, if you are using the following first-party Laravel packages, you should upgrade them to their latest release:

Of course, don't forget to examine any 3rd party packages consumed by your application and verify you are using the proper version for Laravel 5.6 support.

Symfony 4

All of the underlying Symfony components used by Laravel have been upgraded to the Symfony ^4.0 release series. If you are directly interacting with Symfony components within your application, you should review the Symfony change log.

PHPUnit

You should update the phpunit/phpunit dependency of your application to ^7.0.

Arrays

The Arr::wrap Method

Passing null to the Arr::wrap method will now return an empty array.

Artisan

The optimize Command

The previously deprecated optimize Artisan command has been removed. With recent improvements to PHP itself including the OPcache, the optimize command no longer provides any relevant performance benefit. Therefore, you may remove php artisan optimize from the scripts within your composer.json file.

Blade

HTML Entity Encoding

In previous versions of Laravel, Blade (and the e helper) would not double encode HTML entities. This was not the default behavior of the underlying htmlspecialchars function and could lead to unexpected behavior when rendering content or passing in-line JSON content to JavaScript frameworks.

In Laravel 5.6, Blade and the e helper will double encode special characters by default. This brings these features into alignment with the default behavior of the underlying htmlspecialchars PHP function. If you would like to maintain the previous behavior of preventing double encoding, you may use the Blade::withoutDoubleEncoding method:

<?php

namespace App\Providers;

use Illuminate\Support\Facades\Blade;
use Illuminate\Support\ServiceProvider;

class AppServiceProvider extends ServiceProvider
{
    /**
     * Bootstrap any application services.
     *
     * @return void
     */
    public function boot()
    {
        Blade::withoutDoubleEncoding();
    }
}

Cache

The Rate Limiter tooManyAttempts Method

The unused $decayMinutes parameter was removed from this method's signature. If you were overriding this method with your own implementation, you should also remove the argument from your method's signature.

Database

Index Order Of Morph Columns

The indexing of the columns built by the morphs migration method has been reversed for better performance. If you are using the morphs method in one of your migrations, you may receive an error when attempting to run the migration's down method. If the application is still in development, you may use the migrate:fresh command to rebuild the database from scratch. If the application is in production, you should pass an explicit index name to the morphs method.

MigrationRepositoryInterface Method Addition

A new getMigrationsBatches method has been added to the MigrationRepositoryInterface. In the very unlikely event that you were defining your own implementation of this class, you should add this method to your implementation. You may view the default implementation in the framework as an example.

Eloquent

The getDateFormat Method

This getDateFormat method is now public instead of protected.

Hashing

New Configuration File

All hashing configuration is now housed in its own config/hashing.php configuration file. You should place a copy of the default configuration file in your own application. Most likely, you should maintain the bcrypt driver as your default driver. However, argon is also supported.

Helpers

The e Helper

In previous versions of Laravel, Blade (and the e helper) would not double encode HTML entities. This was not the default behavior of the underlying htmlspecialchars function and could lead to unexpected behavior when rendering content or passing in-line JSON content to JavaScript frameworks.

In Laravel 5.6, Blade and the e helper will double encode special characters by default. This brings these features into alignment with the default behavior of the underlying htmlspecialchars PHP function. If you would like to maintain the previous behavior of preventing double encoding, you may pass false as the second argument to the e helper:

<?php echo e($string, false); ?>

Logging

New Configuration File

All logging configuration is now housed in its own config/logging.php configuration file. You should place a copy of the default configuration file in your own application and tweak the settings based on your application's needs.

The log and log_level configuration options may be removed from the config/app.php configuration file.

The configureMonologUsing Method

If you were using the configureMonologUsing method to customize the Monolog instance for your application, you should now create a custom Log channel. For more information on how to create custom channels, check out the full logging documentation.

The Log Writer Class

The Illuminate\Log\Writer class has been renamed to Illuminate\Log\Logger. If you were explicitly type-hinting this class as a dependency of one of your application's classes, you should update the class reference to the new name. Or, alternatively, you should strongly consider type-hinting the standardized Psr\Log\LoggerInterface interface instead.

The Illuminate\Contracts\Logging\Log Interface

This interface has been removed since this interface was a total duplication of the Psr\Log\LoggerInterface interface. You should type-hint the Psr\Log\LoggerInterface interface instead.

Mail

withSwiftMessage Callbacks

In previous releases of Laravel, Swift Messages customization callbacks registered using withSwiftMessage were called after the content was already encoded and added to the message. These callbacks are now called before the content is added, which allows you to customize the encoding or other message options as needed.

Pagination

Bootstrap 4

The pagination links generated by the paginator now default to Bootstrap 4. To instruct the paginator to generate Bootstrap 3 links, call the Paginator::useBootstrapThree method from the boot method of your AppServiceProvider:

<?php

namespace App\Providers;

use Illuminate\Pagination\Paginator;
use Illuminate\Support\ServiceProvider;

class AppServiceProvider extends ServiceProvider
{
    /**
     * Bootstrap any application services.
     *
     * @return void
     */
    public function boot()
    {
        Paginator::useBootstrapThree();
    }
}

Resources

The original Property

The original property of resource responses is now set to the original model instead of a JSON string / array. This allows for easier inspection of the response's model during testing.

Routing

Returning Newly Created Models

When returning a newly created Eloquent model directly from a route, the response status will now automatically be set to 201 instead of 200. If any of your application's tests were explicitly expecting a 200 response, those tests should be updated to expect 201.

Trusted Proxies

Due to underlying changes in the trusted proxy functionality of Symfony HttpFoundation, slight changes must be made to your application's App\Http\Middleware\TrustProxies middleware.

The $headers property, which was previously an array, is now a bit property that accepts several different values. For example, to trust all forwarded headers, you may update your $headers property to the following value:

use Illuminate\Http\Request;

/**
 * The headers that should be used to detect proxies.
 *
 * @var int
 */
protected $headers = Request::HEADER_X_FORWARDED_ALL;

For more information on the available $headers values, check out the full documentation on trusting proxies.

Validation

The ValidatesWhenResolved Interface

The validate method of the ValidatesWhenResolved interface / trait has been renamed to validateResolved in order to avoid conflicts with the $request->validate() method.

Miscellaneous

We also encourage you to view the changes in the laravel/laravel GitHub repository. While many of these changes are not required, you may wish to keep these files in sync with your application. Some of these changes will be covered in this upgrade guide, but others, such as changes to configuration files or comments, will not be. You can easily view the changes with the GitHub comparison tool and choose which updates are important to you.