Converge Components is a collection of specialized Blade components designed specifically for documentation management. These components integrate seamlessly with the Converge Framework to create consistent, professional technical documentation with advanced theming capabilities.
Converge Components are pure Laravel blade components enhanced with the Converge theming system. The package has the following dependencies:
Install
1composer require convergephp/blade-components
Publishing assets
Run the command below at the root of your Laravel project. This will create a 1public/vendor/converge directory in your public directory.
1php artisan vendor:publish --tag=converge-components-assets
Now, you can use components within your markdown files.
Running composer update at the root of your project will pull in the latest version of Converge Components.
composer update convergephp/blade-components
Always publish assets when you update to a new version of Converge Components
To automate publishing of the Converge Components files every time you run composer update, you can add the following lines to your composer.json file under the scripts key.
"scripts": { "post-update-cmd": [ {~ "@php artisan vendor:publish --tag=another-published-assest --force",~} "@php artisan vendor:publish --tag=converge-components-assets --force", {~"@php artisan vendor:publish --tag=any-other-assets --force",~} ], }
While this is a powerful feature in Converge, it can quickly become a security nightmare if not used with caution. It introduces serious security risks when rendering dynamic or user-controlled content.
For example, if you use the divide component like this:
<x-converge::divide title="available methods in SidebarItem" color="success" > {{ file_get_contents(base_bath('.env'))}} </x-converge::divide>
You’ve now exposed your entire .env file to the public. All environment variables are fully visible, including secrets and database credentials.
This feature should only be used when trusted administrators are managing the documentation content.
Don't use this in user driven contents
We're actively working on a solution. Our current direction involves sandboxing these components or building a minimal Blade-like engine that supports only the Converge component syntax. The goal is to keep the developer experience identical to Blade while restricting access to dangerous PHP functions.
Ensure that all documentation content is managed exclusively by trusted administrators.
Carefully review all pull requests to the documentation repository — especially those modifying markdown files or using dynamic components.
Audit your entire documentation to confirm that no sensitive logic, data access, or insecure function calls (e.g., file_get_contents, exec, eval) are exposed through components.
Always remember: when using these components, there is no security layer between your application logic and the markdown content. Any misuse directly compromises your environment.