PHP Annotated – February-March 2024

PHP Annotated Monthly

Welcome to the February–March edition of PHP Annotated! We’ll recap the most interesting developments in the PHP community over the past couple of months, featuring handpicked news, articles, tools, and videos.


  • PHP 8.2.16 and PHP 8.3.3 released

    🐛 These are bug-fix updates.

  • Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation

    Composer has been patched for vulnerability CVE-2024-24821, which, under certain conditions, caused arbitrary code execution leading to local privilege escalation, lateral user movement, or malicious code execution when Composer was invoked within a directory with tampered files.

  • Doctrine ORM 3 and DBAL 4 released

    These releases, which make the tools slimmer and more efficient, are the culmination of over a decade of hard work by dozens of contributors and the Doctrine maintainers.

  • Rector 1.0 is here

    The first stable release of the tool for automated upgrades and refactoring includes a new Zen config, a new custom-rule command, automated PHP sets, and streamlined integration with new projects.

  • PHP version stats: January 2024

    This regular overview of the usage of various PHP versions is based on the data that clients send to (for example, when they run a composer update command).

    In short, here is how the usage distribution has changed over the last six months:
    PHP 7.* – 20.3% (29.7% in 2023)
    PHP 8.* – 78.2% (69% in 2023)

  • PHPUnit 11

    This version streamlines test double creation, deprecates PHPDoc annotations in favor of PHP 8 attributes, and phases out less necessary features.

PHP Core

  • Release Managers for PHP 8.4

    PHP is seeking three engineers to handle the release of the upcoming PHP 8.4 branch. Candidates must commit to a 3.5-year term and possess a strong knowledge of PHP, Git, and C.
    Applications will be accepted through March 31.

  • The PHP Foundation: Impact and Transparency Report 2023

    The foundation now contracts 10 engineers to work on PHP’s core and infrastructure, receives sponsorships from major PHP companies, and has secured investment from a German government-backed fund.

    In 2024, the foundation group has several significant projects planned, including a new tool for installing PHP extensions, a security audit, and an update to the documentation.

    I, Roman Pronskiy, am sponsored by JetBrains to serve as an operations manager for the foundation. Check out my talk at Laracon EU to learn more about the foundation:

  • Welcome to The PHP Foundation discussions!

    As an experiment, the PHP Foundation has launched GitHub discussions in direct response to the community’s request for a more open and accessible communication platform.

  • 📺 Let’s talk about PECL

    The PHP Foundation is working on a new tool for installing PHP extensions. In this video, Brent Roose, James Titcumb, and Roman Pronskiy discuss everything there is to know about it.

  • RFC: Property hooks

    Hooks have become one of the biggest and most discussed RFCs in PHP in the last few years. After a round of discussions, the authors of the proposal, Larry Garfield and Ilija Tovillo, significantly updated the details.

    Some notable changes from the full list:

    • As noted a while ago, the $field has been removed.
    • The $foo => expression shorthand has been removed. The legal shorthands are now:
      public string $foo {
        get => evaluates to a value;
        set => assigns this value;
    • The set shorthand (with => ) now means “write this value instead”. The non-shorthand version (set { } ) always returns void, so you have to assign the value yourself.
    • Added an FAQ regarding the property-centric approach rather than the method-centric approach.
    • Added an FAQ item explaining why a ‘virtual’ keyword is not feasible.
  • 📊 RFC: Deprecate implicitly nullable parameter types
    Currently, using null as a default value of a function parameter is allowed, and it does not generate an error even if the parameter has a type declaration and is not nullable.

    Moreover, there is a slight inconsistency in allowing optional parameters before required ones. For example, the following signature is valid:

    function foo(T1 $a, T2 $b = null, T3 $c) {} // Currently valid

    Máté Kocsis and Gina P. Banyard propose to deprecate such declarations and require explicit nullable marks. This is a BC break, but the migration is relatively straightforward and can be automated.

    function foo(T $var = null) {} // Deprecated warning if RFC accepted
    function foo(?T $var = null) {} // OK

    Note: This change impacts quite a few open-source projects. You can use this script or this regexp to check if your project is also affected.

  • 📣 RFC: Add OOP methods to cURL objects

    Sara Golemon proposes adding simple OOP interfaces to the cURL extension to provide a bit more pleasant out-of-the-box HTTP client experience for PHP.

    try {
      (new \CurlHandle)->setOpt(YOUR_VOTE, true)->exec();
    } catch (\CurlHandleException $exception) {
  • RFC: Opt-in DOM spec-compliance
  • RFC: RFC1867 for non-POST HTTP verbs
    A new request_parse_body() function, designed to allow handling form data for PUT and PATCH requests, will be available as of PHP 8.4.
  • RFC: Add http_(get|clear)_last_response_headers() function
  • RFC: Multibyte for ucfirst, lcfirst functions, mb_ucfirst mb_lcfirst
  • RFC: Final by default anonymous classes



  • php-static-analysis/attributes – Attributes used for static analysis.

    An idea that popped up in a Twitter thread has now received a proper implementation, making it possible to specify type metadata for functions and classes in PHP 8 attributes instead of PHPDoc tags.


    Read the Using PHP Attributes instead of Annotations for Static Analysis blog post by Carlos Granados to learn more about the motivation behind this idea, as well as its use cases and limitations.

  • typhoon-php/typhoon – Ultimate type system and reflection for PHP. It includes abstraction for the PHP static type system, and Typhoon Reflection, an alternative to native PHP Reflection.
  • xepozz/internal-mocker – A tool for mocking internal PHP functions and classes.
  • yiisoft/hydrator – Create and populate objects with support for type casting, mapping, and resolving dependencies.
  • coollabsio/coolify – An open-source and self-hostable alternative to Heroku, Netlify, and Vercel.
  • opencodeco/phpctl – A Docker (containers) based development environment for PHP. See this Introduction to PHPCTL for details.
  • hydephp/hyde – A static site generator with the power of Laravel and the simplicity of Markdown.
  • swoole/phpy – A library that allows you to use Python functions and libraries in PHP or use PHP packages in Python.
  • SRWieZ/thumbhash – A ThumbHash implementation in PHP that allows you to generate unique, human-readable identifiers from image files.
  • rryqszq4/ngx-php – An embedded PHP language module for the NGINX web server. According to benchmarks, it’s currently the fastest possible way to run PHP – faster than Swoole, RoadRunner, and FrankenPHP.
  • crazywhalecc/static-php-cli – The tool makes it possible to build standalone PHP binaries for Linux, macOS, FreeBSD, and, with the latest update, Windows too!





These PHP events are all worth a visit, and some are still accepting presentation proposals:


  • Is PHP dead? 🤔 – Here’s a fun puzzle with some nice easter eggs. Can you find all 8?

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send us a tweet.

Subscribe to PHP Annotated

Roman Pronskiy

Developer Advocate at @PhpStorm, Operations Manager at @The PHP Foundation.

Twitter | GitHub

image description