Excellent PHP writing, hand-picked.
No buzzwords. No ads. No nonsense. Curated by Stefan Priebsch and Sebastian Bergmann of thePHP.cc as a free service to the PHP community.

View all issues →

Issue #15

Staying in control

7 July 2026

"This issue features a library rebuilt by its maintainer after 25 years, a static analysis tool ported to Rust by an LLM, and a coding agent locked into a sandbox. Different stories, one common thread: no matter how our tools change, we developers stay in control."
— Stefan & Sebastian

tecnick.com

Rebuilding TCPDF after 25 years

Nicola Asuni looks back on the history of TCPDF, the PDF generation library that started as a workaround in an e-commerce project and ended up many software projects. Instead of continuing to patch the code, he has rebuilt everything from scratch.

Picked by Stefan Priebsch – “Few maintainers get to reflect on a quarter century of one library. Nicola Asuni has many years on a library that much of the PHP world depends on, and he is not done yet. That kind of dedication deserves our gratitude and support.”

mattbrown.dev

Trying to port Psalm to Rust

Matt Brown, the original creator of Psalm, wanted to know whether an LLM could port his static analysis tool to Rust. It could, mostly: after months of iteration and a hefty token bill, Pzoom runs ten times faster than Psalm and passes almost the entire test suite.

Picked by Sebastian Bergmann – “Matt writes honestly about what the LLM got right and where he had to step in himself. Without Psalm's test suite, this rewrite would have been a gamble.”

einenlum.com

Running coding agents in a sandbox

How can we let coding agents work autonomously, but without giving it full access to our machine? The author of this article locks the agent into a sandbox and shows step by step how to get a PHP project, database included, working inside it.

Picked by Stefan Priebsch and Sebastian Bergmann – "No matter how capable coding agents become, one thing must not change: we are in charge of our own machines. Using a sandbox helps us to keep it that way."

Issue #14

The work behind PHP

23 June 2026

"On the surface, these articles are about funding, generics, and friend classes. Together, they reveal something broader: how PHP evolves through institutional support, careful debate, and contributions from across the community."
— Stefan & Sebastian

thephp.foundation

What the PHP Foundation delivered in 2025

In a significant year for PHP, which marked its thirtieth anniversary, the PHP Foundation helped deliver PHP 8.5, released PIE 1.0, began modernizing the streams layer, and accounted for roughly 42% of PHP core commits. The Foundation's 2025 Impact and Transparency Report details how $730,534 in contributions were collected and spent.

Picked by Stefan Priebsch – "This report makes the Foundation’s contribution to PHP’s development visible and gives useful detail on how its funding is used.”

gpb.moe

The case against erased generics in PHP

PHP core developer Gina Banyard argues that runtime-erased generics conflict with PHP’s established runtime type system and depend too heavily on optional static analysis tools. She makes the case for incrementally introducing runtime-checked generics instead.

Picked by Sebastian Bergmann – “A clear case for treating generics as a language design problem rather than leaving their semantics to static analysis tools. This article offers the counterpoint to the position we featured two issues ago.”

scherzer.dev

Exploring friend classes for PHP

The author explores how PHP could support “friend” classes, allowing selected code to access private or protected members without making them public. He compares an attribute-based approach with class-level language syntax and examines the semantic problems each option introduces.

Picked by Stefan Priebsch and Sebastian Bergmann – "We selected this article not because of the importance of the feature itself, but because it demonstrates how the language evolves through the work and contributions of the PHP community."

Issue #13

Keeping the Ecosystem Trustworthy

16 June 2026

"Trust in open source is not a given. It is built over time through stewardship, transparency, and the operational discipline that keeps ecosystems resilient under pressure as supply-chain risks grow."
— Stefan & Sebastian

blog.packagist.com

Composer & Packagist supply chain security

Supply-chain security is becoming a central concern for the PHP ecosystem. This article highlights that maintaining trust in open source increasingly depends not only on code quality, but also on operational discipline. The Composer and Packagist team discusses current and upcoming feature releases they have been working on over the past few months.

Picked by Stefan Priebsch and Sebastian Bergmann – "This update shows the extraordinary security work of Composer and Packagist that keeps the ecosystem dependable without most developers ever noticing it."

queue.acm.org

Open Source and the Iceberg Theory

Open source supply chains can no longer be treated as passive lists of dependencies. This article argues that maintaining trust in modern software requires a shift from dependency management to active stewardship. We need to invest in the people, processes, and ecosystems behind the packages we rely on.

Picked by Sebastian Bergmann – "The important parts of open source are often below the surface: maintenance, governance, and the social infrastructure that makes software reliable."

socket.dev

The Hidden Risk in Development Branches

A compromised Packagist package shows how open source trust can be abused in very targeted ways. Here, attackers hid malicious code in a development branch of an otherwise legitimate PHP package, likely aiming at developers through a fake job interview or coding task.

Picked by Stefan Priebsch – "Supply-chain security is not only about popular packages and stable releases. Even obscure branches and temporary test versions can become attack vectors."