Today's tip came from a real-world scenario that burned me recently.
Any time we install a Composer package, it installs a specific version, which is stored in the composer.lock file. So any other machine where we run composer install we always get the same version.
If you are using Docker, you quite likely do the same thing for your versions of PHP, nginx, mysql, and so on. Consistency between environments is great!
One place, I hadn't been doing this was with PECL extensions, like the redis extension. In my Dockerfile, I'd just have this line:
# unpinned - will jump major versions - don't do this
RUN pecl install redis && docker-php-ext-enable redis
And then in my composer.json file, I'd specify "ext-redis": "^5.3" as a requirement.
But recently, version 6.0 of this extension came out, so when my Docker containers were built in our CI pipeline, it installed that new version, which failed the constraint of ^5.3 in my composer.json file.
The solution was simple, and obvious in hindsight: pin the version of the extension in my Dockerfile:
# pinned to a specific patch version - no surprises!
RUN pecl install redis-5.3.7 && docker-php-ext-enable redis
Here to help,
Joel
P.S. Laravel is pretty secure by default, but Aaron published a course to go even deeper on Laravel security.