Laravel
Endless Lifecycle Support (ELS) for Laravel from TuxCare provides security fixes for Laravel framework versions that have reached their end-of-life. This allows you to continue running your Laravel applications without vulnerability concerns, even after official support has ended.
Supported Versions
- Laravel 5.4.36, 5.5.50, 5.6.40, 5.7.29, 5.8.38, 8, 10, 11
- Illuminate View 5.4.36
Other versions upon request.
Connection to ELS for Laravel Repository
This guide outlines the steps needed to integrate the TuxCare ELS for Laravel repository into your Laravel application. The repository provides trusted Laravel framework versions that can be easily integrated into your Composer projects.
Step 1: Get user credentials
You need a username and password in order to use TuxCare ELS for Laravel repository. Anonymous access is disabled. To receive the credentials, please contact sales@tuxcare.com.
Step 2: Configure Composer authentication
Create or edit the
auth.jsonfile for the user running Composer:Linux/macOS:
~/.composer/auth.jsonWindows:
%APPDATA%\Composer\auth.json
Use either the Composer CLI or edit
auth.jsondirectly to add your credentials fornexus.repo.tuxcare.com.composer config --global --auth http-basic.nexus.repo.tuxcare.com USERNAME PASSWORDReplace
USERNAMEandPASSWORDwith the credentials you received in Step 1.
Step 3: Register the TuxCare repository
Add the els_php Composer repository either via CLI or by editing composer.json:
composer config repositories.tuxcare '{"type":"composer","url":"https://nexus.repo.tuxcare.com/repository/els_php/","options":{"http":{"verify":true}}}' --jsonStep 4: Install Laravel components
Install the TuxCare-maintained Laravel or Illuminate release that matches your project:
composer require laravel/framework:10.48.28-p1+tuxcareCheck the exact version listed in your TuxCare Nexus account to ensure you receive the most recent patched release.
If you edited composer.json manually, run composer update to install the package:
composer update
Composer will resolve dependencies against the TuxCare repository and install the patched releases.
Composer Repository Configuration
If you encounter dependency resolution errors like:
packages from higher priority repository do not match your constraint
it usually means your project requires a package version that is not yet available in the TuxCare repository.
Solution: Update your composer.json to set the TuxCare repository as non-canonical:
{
"repositories": [
{
"type": "composer",
"url": "https://nexus.repo.tuxcare.com/repository/els_php/",
"canonical": false
}
]
}
This allows Composer to fall back to Packagist for packages not available in the TuxCare repository, while still preferring TuxCare patches when available.
Vulnerability Exploitability eXchange (VEX)
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives and helps prioritize real risks.
TuxCare provides VEX for:
- Laravel: security.tuxcare.com/vex/cyclonedx/els_lang_php/laravel-framework/
- Illuminate: security.tuxcare.com/vex/cyclonedx/els_lang_php/illuminate-view/
How to Upgrade to a Newer Version
If you have already installed a TuxCare Laravel package and want to upgrade to a newer release, update the version string in your composer.json file or run the composer require command with the new version:
composer require laravel/framework:VERSION-pN+tuxcare
Then run composer update to apply the changes:
composer update
Resolved CVEs in Laravel and Illuminate
Fixes for the following vulnerabilities are available in ELS for Laravel from TuxCare:
| CVE ID | Severity | Vulnerable versions | Fixed in version |
|---|---|---|---|
| CVE-2021-43808 | Medium | < 6.18.35, < 7.24.0 | 5.4.36-p2+tuxcare |
If you are interested in the TuxCare Endless Lifecycle Support, contact sales@tuxcare.com.
