Keeping PHP Current

Security maintenance includes running supported PHP versions, updating extensions and dependencies, monitoring advisories, and testing upgrades before old versions become emergencies.

Core Controls

• Track the PHP versions used locally, in CI, containers, servers, and managed hosting.
• Follow supported PHP release branches and plan upgrades before security support ends.
• Run dependency audits and review abandoned packages.
• Update extensions, base images, operating-system packages, and web servers too.
• Use automated tests and staging environments to make upgrades routine.

Inventory The Whole Runtime

<?php

declare(strict_types=1);

echo 'PHP ' . PHP_VERSION . PHP_EOL;

foreach (['openssl', 'pdo', 'mbstring', 'intl'] as $extension) {
    echo $extension . ': ' . (extension_loaded($extension) ? 'loaded' : 'missing') . PHP_EOL;
}

Capture the same information in local development, CI, staging, production, containers, and worker runtimes. A web process and queue worker can drift even when they deploy from the same repository.

Update More Than Composer Packages

Composer dependency audits matter, but the runtime also includes PHP itself, extensions, operating-system libraries, base images, web servers, proxies, databases, and build tooling.

Review abandoned dependencies and transitive packages. A lock-file update needs tests and a diff review, not blind acceptance.

Make Upgrades Routine

Use supported PHP versions and plan upgrades before a deadline becomes an emergency. Automated tests, static analysis, staging, canary rollout where appropriate, monitoring, and a rollback or roll-forward plan make maintenance predictable.

In Application Work

A codebase that cannot be upgraded safely is accumulating operational risk. Keep compatibility work small and continuous rather than waiting for a rushed migration.

What To Check

Before moving on, make sure you can inventory every runtime, audit dependencies, include extensions and infrastructure in update planning, and describe a tested rollout.