PHP at Scale #21
Welcome to the 21st edition of PHP at Scale. I am diving deep into the principles, best practices and practical lessons learned from scaling PHP projects - not only performance-wise but also code quality and maintainability.
This month, I will not cover any specific topic, as I am working on some bigger research for an upcoming release and did not manage to finish it on time. But so many new things came out in the PHP ecosystem in recent weeks that there is a lot to discuss.
PHP gets its own security team
I’ve already touched on security topics in the last release, and will cover them again this year. Looks like 2026 will be a security issues year, with many different attack vendors, and although I don’t like writing multiple times about similar things, this is what needs to be covered.
Announcing the Ecosystem Security Team at The PHP Foundation
Great to see this move, and have a person fully dedicated to the security of PHP, not only as a language, but also in terms of all the libraries, abandoned packages, etc.
There is also a short interview available that might give you a bit more insight.
Overall, a very good move from the PHP Foundation, and I look forward to the results it brings. Why? Just look at what happened in the last couple of days/weeks:
Symfony released a version with 11! security fixes - and acknowledged that there were a total of 19 vulnerabilities found by running Claude mythos.
Most of them are not huge, but still very impressive and concerning at the same time.A huge attack was conducted on some of the Laravel-lang repositories. Poisoning over 700 versions of different packages - not only new versions, but also older ones.
There is also an interesting story about GitHub tokens being exposed due to a token format change that broke Composer.
And that is not all that happened in the last month in terms of PHP security.
Async PHP getting a thing?
Since I last wrote about async PHP, I have the impression that the topic has begun to evolve quickly. More and more companies share their stories, and new libraries are released. Here are some that I think might be interesting as a follow-up to the #19 release of my newsletter
PHP Fibers: simplifying async code and speeding up development
Max from Manychat shares his story on how they used Fibers to simplify their async code and speed up development. Their story reminded me of a project I was consulting some time ago, with a very similar issue they had - hidden IO issues due to OpenSSL performance. I always find similar case studies worth a look before implementing something on your own.
A Fiber-native, enterprise-grade asynchronous ecosystem for PHP 8.4+
A new library that introduces async based on Fibers. Not sure if I would include it in any production project as it is quite fresh, but it looks interesting, and comes with MySQL/PostgreSQL support built in. I did some benchmarks previously, and the amqphp MySQL library does a great job for concurrent queries. I expect this one to work too, but I’ll run some benchmarks in the future to compare them.
Generic PHP News
Is it finally time for PHP generics?
A review of the most recent RFC for generics in PHP. Each year, PHP is getting closer to having generics built in, but are we close enough to actually get them soon? The article takes an interesting angle and raises some important questions.
Unpopular opinion: for my next SaaS, I'd choose PHP.
A summary of how the company I work for looks at PHP, and why we consider it a very good option for SaaS development. Next to the summary, there are almost 180 comments, often bringing up interesting stories.
Next month?
Next month, I plan to focus entirely on security, supply chain attacks and all the other things that might strike us in 2026. If you have interesting stories/tips to share - let me know!
Why is this newsletter for me?
If you are passionate about well-crafted software products and despise poor software design, this newsletter is for you! With a focus on mature PHP usage, best practices, and effective tools, you'll gain valuable insights and techniques to enhance your PHP projects and keep your skills up to date.
I hope this edition of PHP at Scale is informative and inspiring. I aim to provide the tools and knowledge you need to excel in your PHP development journey. As always, I welcome your feedback and suggestions for future topics. Stay tuned for more insights, tips, and best practices in our upcoming issues.
May thy software be mature!