chore(deps): update dependency laravel/framework to v13.12.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
laravel/framework (source)	13.11.2 → 13.12.0

---

Laravel Framework: Temporary Signed URL Path Confusion

GHSA-crmm-hgp2-wgrp

More information

Details

A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement.

Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended at signing time. This may cause requests to resolve to an unintended resource, and can prevent expiration from being enforced, allowing expired URLs to remain valid indefinitely.

Impact

• Expired temporary URLs may continue to be accepted
• Requests may resolve to a different resource than the one that was signed
• The upload variant may allow writes to reach an unintended destination

Severity

• CVSS Score: 4.2 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

• https://github.com/laravel/framework/security/advisories/GHSA-crmm-hgp2-wgrp
• https://github.com/laravel/framework/pull/60137
• https://github.com/laravel/framework/pull/60230
• https://github.com/laravel/framework/pull/60350
• https://github.com/advisories/GHSA-crmm-hgp2-wgrp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

laravel/framework (laravel/framework)

v13.12.0

Compare Source

• [13.x] Accept Symfony's new control-characters exception message in mailer test by @​kieranbrown in #​60202
• [13.x] Ability to opt out of worker restart on lost connection by @​jackbayliss in #​60201
• [13.x] Resolve scheduled event callback parameter by type rather than name by @​kayw-geek in #​60197
• [13.x] default clear() queue driver param to null by @​jackbayliss in #​60192
• [13.x] Fix path separator being encoded for LocalFilesystemAdapter by @​jackbayliss in #​60194
• [13.x] feat: add factory to pivot stub by @​ludo237 in #​60204
• [13.x] Fix incorrect type hint in Optional::offsetUnset() docblock by @​rpsohag in #​60207
• [13.x] Make ClearCommand prohibitable by @​jackbayliss in #​60215
• [13.x] Allow auto discovered listeners to opt out of discovery by @​jackbayliss in #​60209
• [13.x] Ensure Up/Down commands report exceptions by @​jackbayliss in #​60232
• [13.x] Fix path separator encoding in temporaryUrl on local disk by @​kayw-geek in #​60230
• [13.x] Add assertJsonPathsCanonicalizing to TestResponse by @​Tresor-Kasenda in #​60225
• [13.x] Add normalize parameter to Str::studly() and Str::pascal() by @​hotmeteor in #​60229
• [13.x] Fix async HTTP retries when using array backoff values by @​LucasCavalheri in #​60214
• [13.x] Replace compact with explicit arrays by @​parkourben99 in #​60234
• [13.x] Add prohibited to KeyGenerateCommand by @​jackbayliss in #​60224
• [13.x] remove last compact() call by @​browner12 in #​60235
• [13.x] Allow JsonSchema fluent boolean flags to be unset by @​LucasCavalheri in #​60239
• [13.x] battle harden when scheme is present in the config by @​DGarbs51 in #​60237
• [13.x] Rector : Always convert compact() to variables by @​lucasmichot in #​60236
• [13.x] Add attributes to Scheduler by @​cosmastech in #​60255
• [13.x] Guard base_path() call in SQLiteConnector for standalone usage by @​YoussefMansour9 in #​60266
• [13.x] Fix incorrect @​return types in Number::spell(), ordinal(), and spellOrdinal() by @​AmdadulShakib in #​60263
• [13.x] Supports using URI-based connection for SQLite using file: prefix by @​crynobone in #​60261
• [13.x] Add Client\Request::uri() by @​stevebauman in #​60282
• [13.x] View\Factory::flushComponents() doesn't reset $slots / $slotStack by @​martinsoenen in #​60283
• [13.x] Throw ManagedQueueNotFoundException when a managed queue is missing by @​kieranbrown in #​60275

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.