Add #[Locked] attributes to prevent client-side property tampering (#549)

This hardens the Modal component against Livewire hydration attacks
(CVE-2025-54068). While the vulnerability was fixed in Livewire 3.6.4,
adding #[Locked] to $activeComponent and $components provides
defense-in-depth by preventing any client-side manipulation of these
properties via the updates mechanism.

The test was updated to use proper server-side methods instead of
directly setting properties, which is exactly what #[Locked] prevents.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: PhiloNL

src/Modal.php

@@ -8,14 +8,17 @@
 use Illuminate\Support\Collection;
 use Illuminate\Support\Reflector;
 use Illuminate\View\View;
+use Livewire\Attributes\Locked;
 use Livewire\Component;
 use Livewire\Mechanisms\ComponentRegistry;
 use ReflectionClass;
 
 class Modal extends Component
 {
+    #[Locked]
     public ?string $activeComponent;
 
+    #[Locked]
     public array $components = [];
 
     public function resetState(): void

tests/LivewireModalTest.php

@@ -72,15 +72,9 @@ public function testModalReset(): void
         Livewire::component('demo-modal', DemoModal::class);
 
         Livewire::test(Modal::class)
-            ->dispatch('openModal', 'demo-modal')
-            ->set('components', [
-                'some-component' => [
-                    'name' => 'demo-modal',
-                    'arguments' => ['bar'],
-                    'modalAttributes' => [],
-                ],
-            ])
-            ->set('activeComponent', 'some-component')
+            ->dispatch('openModal', component: 'demo-modal', arguments: ['message' => 'Test'])
+            ->assertNotSet('activeComponent', null)
+            ->assertNotSet('components', [])
             ->call('resetState')
             // Verify properties are reset
             ->assertSet('activeComponent', null)