Open-Source Wikis

/

Laravel

/

Reference

/

Dependencies

laravel/laravel

Dependencies

Every package the skeleton requires. Source: composer.json (PHP) and package.json (Node).

PHP runtime requires

Package Constraint Purpose
php ^8.3 Minimum PHP version
laravel/framework ^13.7 The Laravel framework — the actual code that powers the skeleton
laravel/tinker ^3.0 Interactive REPL (php artisan tinker)

That's the entire production dep list — three constraints. Everything else is dev-only.

PHP dev requires

Package Constraint Purpose
fakerphp/faker ^1.23 Faker library for database/factories/UserFactory.php
laravel/pail ^1.2.5 Live log tailer (php artisan pail)
laravel/pao ^1.0.6 Recently added (v13.4.0, 2026-04-28); see CHANGELOG
laravel/pint ^1.27 Code style fixer (vendor/bin/pint)
mockery/mockery ^1.6 Mocking library used by tests
nunomaduro/collision ^8.6 Pretty CLI exception output
phpunit/phpunit ^12.5.12 Test runner

Composer config

Notable settings in composer.json:

"config": {
    "optimize-autoloader": true,
    "preferred-install": "dist",
    "sort-packages": true,
    "allow-plugins": {
        "pestphp/pest-plugin": true,
        "php-http/discovery": true
    }
}
  • optimize-autoloader — generates a class map at install/update for faster autoload.
  • preferred-install: dist — pulls zipped releases instead of cloning git history.
  • sort-packages — keeps the require/require-dev blocks alphabetized.
  • allow-plugins — pre-allows two specific Composer plugins so installs don't prompt.

Other config:

"minimum-stability": "stable",
"prefer-stable": true

npm devDependencies

package.json has no dependencies block — only devDependencies.

Package Constraint Purpose
@tailwindcss/vite ^4.0.0 Tailwind v4 Vite plugin (no PostCSS step)
concurrently ^9.0.1 Used by composer dev script to run 4 processes in parallel
laravel-vite-plugin ^3.1 Maps Blade's @vite directive to dev/built asset URLs
tailwindcss ^4.0.0 Tailwind CSS
vite ^8.0.0 Frontend dev server + bundler

npm config

.npmrc:

ignore-scripts=true
audit=true

ignore-scripts=true (added 2026-04-01) prevents lifecycle scripts (postinstall, preinstall) from any installed package from executing. audit=true (added 2026-04-15) makes npm install warn about vulnerable transitive deps.

package.json:

{
  "$schema": "https://www.schemastore.org/package.json",
  "private": true,
  "type": "module"
}
  • private: true — refuses publication to the npm registry.
  • type: module — Vite config and any other .js files use ESM by default.

Auto-discovered Laravel packages

The framework auto-discovers service providers from any installed Composer package's extra.laravel.providers block. The skeleton's composer.json contains:

"extra": {
    "laravel": {
        "dont-discover": []
    }
}

dont-discover: [] is the default — every package's providers and aliases are registered automatically. To skip a specific package's auto-discovery, list its name in the array (e.g. "dont-discover": ["barryvdh/laravel-debugbar"]).

Dependency freshness signals

Dependency Last visible bump in CHANGELOG
laravel/framework Constraint ^13.7 corresponds to the v13.x release line opened in March 2026
laravel/pao Added in v13.4.0 (2026-04-28)
laravel/pail Pinned at ^1.2.5; tracks framework majors
vite ^8.0.0 — bumped to v8 in v13.1.0 (2026-03-18)
tailwindcss ^4.0.0 — Tailwind v4 came in earlier in the v12.x line
phpunit/phpunit ^12.5.12 — pinned at this minimum to address a CVE (PR #6746, v12.12.0)

The composer outdated and npm outdated commands give a real-time view of where each constraint sits relative to the latest published version. The skeleton's policy is to bump constraints only when the framework itself moves to a major version that requires it — so dependencies tend to be slightly older than the bleeding edge but never wildly stale.

What's not listed here

Several Laravel ecosystem packages are commonly added to laravel/laravel projects but are not in this skeleton's defaults:

  • laravel/sail — Docker dev environment
  • laravel/breeze — Auth scaffolding
  • laravel/jetstream — Auth + teams scaffolding
  • laravel/sanctum — API token auth
  • laravel/passport — OAuth2 server
  • laravel/horizon — Queue dashboard
  • laravel/telescope — Debug assistant
  • laravel/pulse — Application performance monitoring
  • laravel/scout — Full-text search
  • laravel/cashier — Stripe billing
  • barryvdh/laravel-debugbar — Debug bar

phpunit.xml's <env> block proactively disables Pulse, Telescope, and Nightwatch (PULSE_ENABLED=false, TELESCOPE_ENABLED=false, NIGHTWATCH_ENABLED=false) so installing them later doesn't break the test suite. The other packages are inert until added.

For the Composer / npm tool details, see How to contribute → Tooling.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Dependencies – Laravel wiki | Factory