Marius Pantea

Maravel-Framework 10.70 brings Storable Array Callables to queues (and queued events) available both in the Maravel micro-framework and Maravelith.

This is a safer alternative to serializing objects when dispatching a message to the queue because PHP Object Injection is totally avoided on unserializing the payload. PHP Object Injection allows attackers to weaponize magic methods for Remote Code Execution (RCE). While this was prevented, leaking your APP_KEY removes that prevention. By avoiding serialized objects, this vulnerability is neutralized, while also optimizing Redis and SQS payload sizes.

The feature is fully backward compatible but it can also enforce the prevention via a public constant in the \App\Application class:

namespace App; class Application extends \Laravel\Lumen\Application
{ public const FORBID_SERIALIZED_OBJECTS_IN_QUEUE = true;
}

Version 10.70 will introduce the ability to dispatch standard PHP callable arrays directly to the queue (e.g., [Service::class, 'method']).

Advantages:

• Avoids unserialize(): Completely bypasses the need to serialize and unserialize closures or full object instances. This eliminates serialization bugs, reduces execution overhead, and removes the security risks natively associated with PHP's unserialize().

• Reduced Payload Size: Only the class string and method name are stored in the queue backend (Redis, database, etc.), drastically cutting down payload size compared to serialized objects or large closures.

• Fresh Container Resolution: The queue worker instantiates the class directly through the Dependency Injection container at the exact moment of execution. This guarantees the job runs with the latest application code and avoids stale state issues caused by saving an object's state at the time of dispatch.

• No Boilerplate: Allows you to execute background logic directly from existing service classes, removing the need to create and maintain dedicated Job classes for simple operations.

  Discover more https://github.com/macropay-solu...

Version 10.69.2 patches some corner cases in validation like rules that throw exception from different reasons.

The docs have been updated.

Subject: [PATCH] Document POC https://github.com/laravel/frame... cr + add return for fix https://github.com/laravel/frame... n validation.md
---
Index: validation.md
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/validation.md b/validation.md
--- a/validation.md (revision 5132a50e5a568771414403dcb7c990cc8d582287)
+++ b/validation.md (revision ffc447842142e098ac1931d685aabe0287890428)
@@ -148,6 +148,13 @@ In this example, if the `unique` rule on the `title` attribute fails, the `max` rule will not be checked. Rules will be validated in the order they are assigned. +> [!NOTE]
+> Automatic Termination for Primitive Rules
+
+> In Maravel-Framework, certain primitive type rules act as implicit "bail" rules. If any of the following rules fail for an attribute, validation for that attribute will stop immediately to prevent unnecessary processing or potential type errors in subsequent rules:
+`uploaded`, `Numeric`, `Array`, `Boolean`, `String`, `Integer`, and `Decimal`.
+> Additionally, if a rule throws an exception, that rule will act as `Bail` and no other rules will run.
+ <a name="a-note-on-nested-attributes"></a> #### A Note on Nested Attributes @@ -2385,3 +2392,10 @@ > An "implicit" rule only _implies_ that the attribute is required. Whether it actually invalidates a missing or empty attribute is up to you. > > Maravel-Framework validates the present field even if empty or null!
+
+
+> [!NOTE]
+> Implicit Behavior of Type Rules
+
+> While not strictly "Implicit", `Numeric`, `Array`, `Boolean`, `String`, `Integer`, and `Decimal` rules are treated with the same priority as implicit rules regarding the validation lifecycle. Once one of these core type expectations fails, the validator considers the attribute's state "unusable" and halts further validation for that specific field. That is why you should always precede rules that need a certain type with one of the above rules.
+> Furthermore, any rule that throws a Throwable will trigger an automatic Bail, isolating the failure to prevent system-wide crashes.
\ No newline at end of file

I chose this general patch vs changing each of the rules and duplicating is_string check for example.