Livewire v4.2.0 Released with Security Hardening and Laravel 13 Support
Last updated on by Paul Redmond
Livewire v4.2.0 adds Laravel 13 support and ships seven security hardening improvements alongside new developer-facing features, including reactive props during boot hooks and a new $errors.clear() method on the JavaScript errors object.
- Add Laravel 13 support
- Add
$errors.clear()to the JS errors object - Reactive props during boot hooks
- Seven security hardening improvements
- Fix EventBus listener leak causing memory growth under Octane
- Fix silent component failures when properties contain non-UTF-8 data
What's New
Laravel 13 Support
Livewire v4.2.0 extends compatibility to Laravel 13.
PR: #10032
$errors.clear() on the JS Errors Object
A new $errors.clear() method is available on the JavaScript errors object, allowing you to programmatically clear error state from the frontend without requiring a server round-trip.
PR: #9975
Reactive Props During Boot Hooks
Props are now reactive during boot hooks, meaning you can access and react to prop values earlier in the component lifecycle. Previously, reactivity was not available until after the boot phase completed.
PR: #10019
Security Hardening
This release includes seven targeted security improvements:
- Denylist expansion — Extended
SecurityPolicyrestrictions to cover additional cases. #9961 - Lifecycle method protection — Lifecycle methods can no longer be invoked via frontend requests. #9964
X-Livewireheader and JSON content type required — Update requests now require theX-Livewireheader and a JSON content type, tightening the accepted request surface. #9965- Type validation in
CollectionSynth— Added type validation to prevent arbitrary class instantiation through the collection synth. #9969 - Web middleware enforced on custom update routes — Custom update routes now enforce web middleware automatically. #9971
- Payload schema validation — Implemented schema validation on incoming payloads with tiered response handling. #9970
- Timing-safe checksum comparison — Checksum comparison now uses
hash_equals()to prevent timing attacks. #10012
Fix: EventBus Listener Leak Under Octane
An EventBus listener leak that caused steady memory growth in long-running Octane processes has been resolved.
PR: #10022
Fix: Silent Failures for Non-UTF-8 Property Data
Components with properties containing non-UTF-8 data would previously fail silently. This is now handled correctly.
PR: #10054
Fix: Route Model Binding with Cached Middleware
Explicit route model bindings were being broken when cached route middleware was applied. This has been resolved.
PR: #9978
Fix: wire:model with String Array Keys
wire:model was failing to set values when the target string array key did not already exist. The binding now creates the key as expected.
PR: #9981
Upgrade Notes
No breaking changes are expected for typical applications. If you use custom Livewire update routes, review the new web middleware enforcement (#9971) and the stricter request requirements for the X-Livewire header and JSON content type (#9965).
References