This document is for developers who want to:
- work on this package locally
- use this package inside another Laravel app before publishing to Packagist
- run tests, formatting, and static analysis
- contribute features or fixes safely
Clone the package:
git clone git@github.com:ghostcompiler/laravel-querybuilder.git laravel-querybuilder
cd laravel-querybuilderInstall dependencies:
composer updateQuality tooling currently targets PHP 8.2+ because the latest Larastan release requires it. The package itself still supports PHP 8.1+ at runtime.
If you want to pull this package directly into a Laravel app from your local machine, add a path repository to the consuming app's composer.json:
{
"repositories": [
{
"type": "path",
"url": "/absolute/path/to/laravel-querybuilder"
}
],
"require": {
"ghostcompiler/laravel-querybuilder": "*"
}
}Then install or refresh it:
composer update ghostcompiler/laravel-querybuilderIf you want Composer to symlink instead of mirroring the package, you can use:
{
"repositories": [
{
"type": "path",
"url": "/absolute/path/to/laravel-querybuilder",
"options": {
"symlink": true
}
}
]
}When you change package classes or move internals during local development, it is also a good idea to refresh autoload metadata in the consuming app:
composer dump-autoloadThis package is designed to safely transform request input into Eloquent query constraints, but contributors should treat it as a boundary-sensitive library.
Keep these rules in mind when changing behavior:
- start from a safe base query in consuming apps
- do not rely on this package to create tenant scoping or authorization automatically
- keep request-driven filters, sorts, includes, and selected columns deny-by-default unless explicitly allow-listed
- keep soft-delete behavior behind the
trashedcommand instead of request-drivendeleted_atfilters - keep relation-depth limits in place for request-driven dotted relation paths
- avoid introducing raw SQL paths that accept user-controlled identifiers or expressions
Safe consuming-app pattern:
$request->user()
->videos()
->queryBuilder($request)
->paginateTable();Less safe multi-tenant pattern:
Video::queryBuilder($request)->paginateTable();If you add new request-driven behavior, make sure it is:
- validated before query application
- covered by explicit allow-lists where applicable
- tested in both normal mode and strict mode
- documented in
README.md
If the new behavior affects performance-sensitive query shapes, also consider:
- pagination caps
- relation depth
- list-size caps for
instyle filters - whether the exposed fields should be indexed in production databases
Validate the package manifest:
composer analyseRun the test suite:
composer testRun static analysis:
composer stanCheck formatting:
composer lintAuto-format:
composer formatRun the full local quality suite:
composer qualityThe package test suite uses Orchestra Testbench with an in-memory SQLite database.
Current fixture coverage includes:
- model search
- nested relation search
- morph relation search
- scalar filters
- relation filters
- morph relation filters
- relation sorting
- morph relation eager loading
- selective columns
- soft deletes
- date ranges
- API-style pagination payloads
- custom filter callbacks
- strict mode validation
The local test harness can also use PostgreSQL when these environment variables are provided:
TEST_DB_CONNECTION=pgsql
TEST_DB_HOST=127.0.0.1
TEST_DB_PORT=5432
TEST_DB_DATABASE=laravel_querybuilder_test
TEST_DB_USERNAME=postgres
TEST_DB_PASSWORD=secret
composer testThis is useful for verifying PostgreSQL-specific behavior such as boolean casting, alias-heavy queries, and subquery sorting. The database itself must already exist and be reachable from your machine.
When adding a new query option:
- Add the behavior in
src/Support/QueryBuilderEngine.php. - Add model-facing configuration if needed.
- Add or extend tests in
tests/QueryBuilderTest.php. - Update
README.md. - Run
composer quality.
Before tagging a release:
- Update
README.mdif the API changed. - Run
composer quality. - Check GitHub Actions for
tests,quality, andsecurity. - Tag the release with semantic versioning.