Patch release fixing a long-standing moderator publishing bug and patching all dependency security advisories reported by composer audit. No breaking changes.
Fixed
- Moderators could not publish articles directly. AI-generated articles assigned to the support account (
support@laravel.cm) stay awaiting approval. When a moderator edited one to set a publication date, the suspicious-content detector — triggered by the many links typical of technical articles (more than 10 URLs, or links ending in.html/.js) — forced moderation:published_atandsubmitted_atwere silently wiped, so the date never saved, and a Telegram "article submitted" notification was dispatched to the moderation channel. Moderators and admins are the approval authority, so the suspicious-content gate and theArticleWasSubmittedForApprovalevent are now skipped for them: they publish directly, with no notification. Regular users keep the full moderation flow unchanged. (#541)
Security
- Patched all dependency security advisories reported by
composer audit(27 advisories across 15 packages at time of release).composer updatepulled patched versions of the Symfony components (including the YAML parser, html-sanitizer, routing, mime and http-kernel),laravel/framework,guzzlehttp/psr7,phpseclib/phpseclib,composer/composer, and others.composer auditnow reports zero vulnerabilities.
Changed
- Console commands and Eloquent models migrated to native PHP attributes (
#[Signature],#[Description],#[WithoutTimestamps]) via Rector, aligning with Laravel 13 conventions. (#541) - PHPStan level 9 type fixes:
Threadordering now uses the framework's'asc'|'desc'direction type;SpotlightCommand::toArrayPHPDoc shape completed. (#541)
Dependencies
- Bumped 12 JS dependencies (Tailwind v4.3, Vite, shiki, fuse.js, laravel-echo, concurrently, …). (#540, #534)
Full changelog: v3.8.1...v3.8.2