Excellent PHP writing, hand-picked.
No buzzwords. No ads. No nonsense. Curated by Stefan Priebsch and Sebastian Bergmann of thePHP.cc as a free service to the PHP community.

Latest Issue

View all issues →

Issue #13

Keeping the Ecosystem Trustworthy

16 June 2026

"Trust in open source is not a given. It is built over time through stewardship, transparency, and the operational discipline that keeps ecosystems resilient under pressure as supply-chain risks grow."
— Stefan & Sebastian

blog.packagist.com

Composer & Packagist supply chain security

Supply-chain security is becoming a central concern for the PHP ecosystem. This article highlights that maintaining trust in open source increasingly depends not only on code quality, but also on operational discipline. The Composer and Packagist team discusses current and upcoming feature releases they have been working on over the past few months.

Picked by Stefan Priebsch and Sebastian Bergmann – "This update shows the extraordinary security work of Composer and Packagist that keeps the ecosystem dependable without most developers ever noticing it."

queue.acm.org

Open Source and the Iceberg Theory

Open source supply chains can no longer be treated as passive lists of dependencies. This article argues that maintaining trust in modern software requires a shift from dependency management to active stewardship. We need to invest in the people, processes, and ecosystems behind the packages we rely on.

Picked by Sebastian Bergmann – "The important parts of open source are often below the surface: maintenance, governance, and the social infrastructure that makes software reliable."

socket.dev

The Hidden Risk in Development Branches

A compromised Packagist package shows how open source trust can be abused in very targeted ways. Here, attackers hid malicious code in a development branch of an otherwise legitimate PHP package, likely aiming at developers through a fake job interview or coding task.

Picked by Stefan Priebsch – "Supply-chain security is not only about popular packages and stable releases. Even obscure branches and temporary test versions can become attack vectors."

Issue #12

Can PHP finally have generics?

19 May 2026

"Generics are back on PHP’s agenda, not as an abstract type system debate but as a practical question about how much intent the language itself should express. And, as expected, security remains a hot topic."
— Stefan & Sebastian

garfieldtech.com

PHP generics, closer than ever

This article frames the latest RFC for generics in PHP as perhaps the language’s best shot yet, while raising an important unresolved question: would such a feature make static analysis an implicit part of writing modern PHP?

Picked by Stefan Priebsch – "A balanced analysis of PHP’s latest attempt at generics, one of PHP’s hardest language design questions: technically possible, widely desired, but full of trade-offs."

wiki.php.net

Another RFC for generics in PHP

This RFC proposes moving even more of PHP’s informal “promises about what kind of data code expects” out of comments and into the language itself, while keeping adoption gradual so existing code does not have to change all at once.

Picked by Sebastian Bergmann – "This might become another example of PHP core adopting ideas explored in userland, in this case shaped in large part by the maintainers of static analysis tools."

phpreads.com

Composer fails fast and fails hard

Damien Retzinger documents a serious PHP supply-chain issue. For a short window, vulnerable Composer versions could expose GitHub Actions tokens in public build logs after GitHub changed its token format.

Picked by Stefan Priebsch and Sebastian Bergmann – "Perfect example of a blame-free post-mortem providing useful guidance for the PHP community. Thank you, Damien, for your exceptional work.

Issue #11

Security has a long memory

12 May 2026

"Security has a long memory. Systems carry forward old assumptions, forgotten shortcuts, and design decisions made under constraints that no longer exist. We look at what happens when familiar software is examined with fresh eyes and how tools like Claude Mythos may bring long-buried risks back into view."
— Stefan & Sebastian

blog.calif.io

Finding and exploiting a 21-year-old vulnerability in PHP

This article walks through a newly discovered use-after-free vulnerability in PHP's unserialize() function, tracing it back to a missing lock in a code path introduced with PHP 5.1. It shows that old design decisions can remain reachable, relevant, and dangerous long after everyone assumes the terrain is well understood.

Picked by Stefan Priebsch – "Code is not only an asset; it is also a liability. This article shows how every line can carry hidden risk, sometimes lying dormant for decades before becoming exploitable."

sektioneins.de

phpinfo() type confusion infoleak vulnerability and SSL private keys

It is great to see Stefan Esser associated with PHP security again. Few people have shaped the field as deeply, with work such as the Hardened-PHP Project, Suhosin, and the Month of PHP Bugs. This historic article is a good example of the depth and precision of his work.

Picked by Sebastian Bergmann – "Stefan Esser’s work has held up exceptionally well over time. I picked this article to raise security awareness in preparation for what may come once Claude Mythos is used to look at PHP."

phrack.org

Hacking PHP

Famous hacker Orange Tsai’s article turns PHP security into a story about curiosity, persistence, and the creative culture of the security researcher community. It shows how playful exploration of familiar systems can uncover forgotten lessons, preserve community knowledge, and push security research forward.

Picked by Stefan Priebsch and Sebastian Bergmann – "Security research is about revealing how familiar systems fail when real-world use exceeds the assumptions their designers made."