laravel/laravel
Dependencies
Every package the skeleton requires. Source: composer.json (PHP) and package.json (Node).
PHP runtime requires
| Package | Constraint | Purpose |
|---|---|---|
php |
^8.3 |
Minimum PHP version |
laravel/framework |
^13.7 |
The Laravel framework — the actual code that powers the skeleton |
laravel/tinker |
^3.0 |
Interactive REPL (php artisan tinker) |
That's the entire production dep list — three constraints. Everything else is dev-only.
PHP dev requires
| Package | Constraint | Purpose |
|---|---|---|
fakerphp/faker |
^1.23 |
Faker library for database/factories/UserFactory.php |
laravel/pail |
^1.2.5 |
Live log tailer (php artisan pail) |
laravel/pao |
^1.0.6 |
Recently added (v13.4.0, 2026-04-28); see CHANGELOG |
laravel/pint |
^1.27 |
Code style fixer (vendor/bin/pint) |
mockery/mockery |
^1.6 |
Mocking library used by tests |
nunomaduro/collision |
^8.6 |
Pretty CLI exception output |
phpunit/phpunit |
^12.5.12 |
Test runner |
Composer config
Notable settings in composer.json:
"config": {
"optimize-autoloader": true,
"preferred-install": "dist",
"sort-packages": true,
"allow-plugins": {
"pestphp/pest-plugin": true,
"php-http/discovery": true
}
}optimize-autoloader— generates a class map at install/update for faster autoload.preferred-install: dist— pulls zipped releases instead of cloning git history.sort-packages— keeps therequire/require-devblocks alphabetized.allow-plugins— pre-allows two specific Composer plugins so installs don't prompt.
Other config:
"minimum-stability": "stable",
"prefer-stable": truenpm devDependencies
package.json has no dependencies block — only devDependencies.
| Package | Constraint | Purpose |
|---|---|---|
@tailwindcss/vite |
^4.0.0 |
Tailwind v4 Vite plugin (no PostCSS step) |
concurrently |
^9.0.1 |
Used by composer dev script to run 4 processes in parallel |
laravel-vite-plugin |
^3.1 |
Maps Blade's @vite directive to dev/built asset URLs |
tailwindcss |
^4.0.0 |
Tailwind CSS |
vite |
^8.0.0 |
Frontend dev server + bundler |
npm config
.npmrc:
ignore-scripts=true
audit=trueignore-scripts=true (added 2026-04-01) prevents lifecycle scripts (postinstall, preinstall) from any installed package from executing. audit=true (added 2026-04-15) makes npm install warn about vulnerable transitive deps.
package.json:
{
"$schema": "https://www.schemastore.org/package.json",
"private": true,
"type": "module"
}private: true— refuses publication to the npm registry.type: module— Vite config and any other.jsfiles use ESM by default.
Auto-discovered Laravel packages
The framework auto-discovers service providers from any installed Composer package's extra.laravel.providers block. The skeleton's composer.json contains:
"extra": {
"laravel": {
"dont-discover": []
}
}dont-discover: [] is the default — every package's providers and aliases are registered automatically. To skip a specific package's auto-discovery, list its name in the array (e.g. "dont-discover": ["barryvdh/laravel-debugbar"]).
Dependency freshness signals
| Dependency | Last visible bump in CHANGELOG |
|---|---|
laravel/framework |
Constraint ^13.7 corresponds to the v13.x release line opened in March 2026 |
laravel/pao |
Added in v13.4.0 (2026-04-28) |
laravel/pail |
Pinned at ^1.2.5; tracks framework majors |
vite |
^8.0.0 — bumped to v8 in v13.1.0 (2026-03-18) |
tailwindcss |
^4.0.0 — Tailwind v4 came in earlier in the v12.x line |
phpunit/phpunit |
^12.5.12 — pinned at this minimum to address a CVE (PR #6746, v12.12.0) |
The composer outdated and npm outdated commands give a real-time view of where each constraint sits relative to the latest published version. The skeleton's policy is to bump constraints only when the framework itself moves to a major version that requires it — so dependencies tend to be slightly older than the bleeding edge but never wildly stale.
What's not listed here
Several Laravel ecosystem packages are commonly added to laravel/laravel projects but are not in this skeleton's defaults:
laravel/sail— Docker dev environmentlaravel/breeze— Auth scaffoldinglaravel/jetstream— Auth + teams scaffoldinglaravel/sanctum— API token authlaravel/passport— OAuth2 serverlaravel/horizon— Queue dashboardlaravel/telescope— Debug assistantlaravel/pulse— Application performance monitoringlaravel/scout— Full-text searchlaravel/cashier— Stripe billingbarryvdh/laravel-debugbar— Debug bar
phpunit.xml's <env> block proactively disables Pulse, Telescope, and Nightwatch (PULSE_ENABLED=false, TELESCOPE_ENABLED=false, NIGHTWATCH_ENABLED=false) so installing them later doesn't break the test suite. The other packages are inert until added.
For the Composer / npm tool details, see How to contribute → Tooling.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.