Freek.dev

You can't out-prompt an attacker — to the model, your system instructions and a malicious support ticket are the same text. So stop defending the prompt and lock down the boundaries you actually control: tools scoped to the authenticated user server-side, middleware that screens and logs, output handled as untrusted input, a human in front of anything irreversible, and a fake-free test that fails CI the moment someone drops the auth scope.

Read more [mujahidabbas.dev]

Matthias writes that AI has shifted more of software development from typing to thinking, reviewing, and iterating. Nice reflection on how agentic coding, parallel worktrees, and voice dictation can slow individual features down while still increasing overall output.

Read more [ma.ttias.be]

Flare now supports log collection for Laravel and PHP apps, with real-time filtering and search in the same polished interface. A nice overview of what logging adds and how to get started with the new SDK release.

Read more [flareapp.io]

Your Agent::fake() tests prove your Laravel AI feature runs — not that its output is any good. This evals a real ticket classifier with the AI SDK: a golden dataset for the fields you can check, an LLM-as-judge for the free text you can't, and a regression gate that catches a bad prompt before your customers do.

Read more [mujahidabbas.dev]

We built deep Livewire support into Flare, making component hierarchies, lifecycle phases, method calls, and related queries visible inside traces. It looks like a solid step forward for understanding where Livewire apps spend time and where things go wrong.

Read more [flareapp.io]

We shipped a Svelte 5 integration for Flare with an error boundary, component hierarchy reporting, and lifecycle-aware context. Looks especially useful for seeing which component broke, and where the error came from.

Read more [flareapp.io]

We shipped dedicated webpack and Next.js plugins for Flare that upload sourcemaps after each production build. Nice update, especially the Next.js wrapper that handles source map generation and cleanup for you.

Read more [flareapp.io]

Steve King explains why Tempest feels so nice for API work: typed request objects, declarative validation, route discovery, and a low-ceremony action flow. It is a good look at how the framework removes boilerplate without giving up clarity.

Read more [www.juststeveking.com]

Daniel Petrica tells the story of how an unpatched Livewire vulnerability on a forgotten side project exposed Mailcoach API keys and led to 50,000 spam emails being sent. It is a useful reminder to keep dormant apps updated, and a good real-world example of how Docker can limit the blast radius when something goes wrong.

Read more [danielpetrica.com]

Michael Dyrynda shows how PHP 8.4 property hooks can replace simple computed getter methods with virtual properties. He makes the case for using them when you want a clean, property-based API for derived values.

Read more [dyrynda.com.au]

Michael Dyrynda shows how Laravel's distinct validation rule can protect nested request payloads from duplicate reference values before they corrupt relationship mapping. He also highlights the strict and ignore_case options for cases where loose comparison is not enough.

Read more [dyrynda.com.au]

Every shares how its team uses AI agents in a compounding loop of planning, working, assessing, and feeding lessons back into the system. The big idea: each feature should make the next one easier to build because the agents keep learning the codebase.

Read more [every.to]

An inside look at the stack powering There There: Laravel, Inertia, React, TypeScript, Horizon, Reverb, and a bunch of Spatie packages and services. A nice overview of the pragmatic tooling choices behind the product.

Read more [there-there.app]

Yoeri shows how to automatically open a pull request when a new PHP security advisory appears. Nice little workflow that combines Laravel Health, Oh Dear, and GitHub Actions to keep apps patched quickly.

Read more [yoeri.me]

A fun look at making coding assistants talk less, and what that actually saves in practice. The main takeaway is that shorter replies help, but most token cost still comes from the actual work: reading, reasoning, coding, and checking.

Read more [spatie.be]

Composer and Packagist share a solid overview of the supply chain security work already in place, what is shipping now, and what is coming next. Worth reading if you maintain PHP packages or care about how the ecosystem is hardening against package compromise.

Read more [blog.packagist.com]

A thoughtful review of AI-generated frontend code in a real product: strong in isolated spots, but increasingly inconsistent at the system level. It also makes the case for using AI as a candidate generator and validator, not as the reviewer with the final opinion.

Read more [spatie.be]

A good piece on using AI to understand a large existing codebase instead of generating more code. It shares practical onboarding tactics and prompts that help map domains, dependencies, and architecture faster.

Read more [spatie.be]

An interesting take on how AI changes the build-versus-buy decision for packages. Shared problems can often be generated, while hard, external, or opinionated problems still benefit from well-maintained packages.

Read more [spatie.be]

Josh Comeau shares a thoughtful take on AI, arguing that deep technical skill becomes more valuable, not less, as these tools improve. His point is that strong developers can use AI to amplify their work, while less experienced builders still struggle without solid architectural judgment.

Read more [www.joshwcomeau.com]