Livewire v4.2.0 Released with Security Hardening and Laravel 13 Support

Livewire v4.2.0 adds Laravel 13 support and ships seven security hardening improvements alongside new developer-facing features, including reactive props during boot hooks and a new $errors.clear() method on the JavaScript errors object.

• Add Laravel 13 support
• Add $errors.clear() to the JS errors object
• Reactive props during boot hooks
• Seven security hardening improvements
• Fix EventBus listener leak causing memory growth under Octane
• Fix silent component failures when properties contain non-UTF-8 data

#What's New

#Laravel 13 Support

Livewire v4.2.0 extends compatibility to Laravel 13.

PR: #10032

#$errors.clear() on the JS Errors Object

A new $errors.clear() method is available on the JavaScript errors object, allowing you to programmatically clear error state from the frontend without requiring a server round-trip.

PR: #9975

#Reactive Props During Boot Hooks

Props are now reactive during boot hooks, meaning you can access and react to prop values earlier in the component lifecycle. Previously, reactivity was not available until after the boot phase completed.

PR: #10019

#Security Hardening

This release includes seven targeted security improvements:

• Denylist expansion — Extended SecurityPolicy restrictions to cover additional cases. #9961
• Lifecycle method protection — Lifecycle methods can no longer be invoked via frontend requests. #9964
• X-Livewire header and JSON content type required — Update requests now require the X-Livewire header and a JSON content type, tightening the accepted request surface. #9965
• Type validation in CollectionSynth — Added type validation to prevent arbitrary class instantiation through the collection synth. #9969
• Web middleware enforced on custom update routes — Custom update routes now enforce web middleware automatically. #9971
• Payload schema validation — Implemented schema validation on incoming payloads with tiered response handling. #9970
• Timing-safe checksum comparison — Checksum comparison now uses hash_equals() to prevent timing attacks. #10012

#Fix: EventBus Listener Leak Under Octane

An EventBus listener leak that caused steady memory growth in long-running Octane processes has been resolved.

PR: #10022

#Fix: Silent Failures for Non-UTF-8 Property Data

Components with properties containing non-UTF-8 data would previously fail silently. This is now handled correctly.

PR: #10054

#Fix: Route Model Binding with Cached Middleware

Explicit route model bindings were being broken when cached route middleware was applied. This has been resolved.

PR: #9978

#Fix: wire:model with String Array Keys

wire:model was failing to set values when the target string array key did not already exist. The binding now creates the key as expected.

PR: #9981

#Upgrade Notes

No breaking changes are expected for typical applications. If you use custom Livewire update routes, review the new web middleware enforcement (#9971) and the stricter request requirements for the X-Livewire header and JSON content type (#9965).

References

• Full Changelog
• Release