Open Collective
Open Collective
PHP Core Roundup #10
Published on March 3, 2023 by Roman Pronskiy

Welcome back to the tenth in the PHP Core Roundup series. As February comes to end we have plenty of PHP developments to write about. February was a month full of new RFCs for upcoming PHP 8.3, merged changes, security releases for PHP 8.2, 8.1, and 8.0, as well as several discussions in the mailing list about improving PHP.

The PHP Foundation currently supports six part-time PHP contributors who work on maintenance and new features for PHP. Maintenance is not limited to fixing bugs, but also includes work to reduce technical debt, making life easier for everyone working on PHP. The contributors funded by the PHP Foundation collaborate with other contributors on code, documentation, and discussions.

Call for PHP 8.3 Release Managers

Sergey Panteleev, one of the PHP 8.2, called for the volunteers to put their names forward to be the release managers for the upcoming PHP 8.3. Typically, each major PHP version gets two or three release managers, one of whom is a "veteran" RM with previous experience being an RM.
Release managers will be responsible for tagging releases, coordinating releases, triaging security issues, and will have the ultimate say on last-minute RFCs and the release schedule. The standard PHP support cycle of two years of active support, followed by a year of security support means this position lasts for three years.

The release managers will be elected with the same RFC voting process. Applications will be accepted until 31 March 12:00:00 UTC. Elections (if needed) will start on 1 April and run until 16 April 12:00:00 UTC.

The RM process is thoroughly documented, and previous RMs and PHP core contributors will be there to help. If you have reasonable internals knowledge, are able to triage security issues and bugs, review and merge pull requests, and overall take responsibility for managing a branch of one of the most widely used programming languages in the world, feel free to email the list and put your name forward.

PHP 8.2.3, 8.1.16, and 8.0.28 Security Fix Releases

PHP 8.2.3, 8.1.16, and 8.0.28 were released on February 14, containing fixes for three security vulnerabilities along with several bug fixes.

PHP 7.4 has reached its End-Of-Life, and there will be no security fix releases.

Recent RFCs and Mailing List Discussions

Changes and improvements to PHP are discussed, reported, and voted on by the PHP Foundation Team, the PHP development team, and contributors. Bug reports are made to the PHP issue tracker, changes are discussed in mailing lists, minor code changes are proposed as pull requests, and major changes are discussed in detail and voted on as PHP RFCs. Documentation and the website changes are also discussed and improved at their relevant Git repositories on GitHub.

Hundreds of awesome PHP contributors put their efforts into improvements to the PHP code base, documentation, and the website. Here is a summary of some changes made by the people behind PHP. Things marked with πŸ’œ are done by the PHP Foundation team.

RFC Updates

Following are the RFCs and major pull-requests discussed, voted on, and implemented since our last update.

RFC In Voting: Saner array_(sum|product)() by George Peter Banyard πŸ’œ
Proposes to change the current behavior of array_sum and array_product to properly handle non-numeric values. This results in additional warnings when these functions encounter unsupported types such as certain objects, arrays, and resources. Further, it can result in different return values on objects that support arithmetic operations.

RFC In Voting: Typed class constants by Benas Seliuginas and MΓ‘tΓ© Kocsis πŸ’œ
Despite the huge efforts put into improving the type system of PHP year after year, it is still not possible to declare constant types. This is less of a concern for global constants, but can indeed be a source of bugs and confusion for class constants: This RFC proposes to add support for declaring class, interface, trait, as well as enum constant types:

enum E {
  const string TEST = "Test1";

trait T {
  const string TEST = E::TEST;

interface I {
  const string TEST = E::TEST;

class C {
  const string TEST = E::TEST;

RFC Partially Accepted: Readonly amendments by Nicolas Grekas and MΓ‘tΓ© KocsisπŸ’œ
This RFC attempts to address some of the shortcomings of PHP 8.1 readonly properties and 8.2 readonly classes.

This RFC proposed allowing readonly classes to be extended by non-readonly classes (currently not allowed, and causes a fatal error), and to allow reinitializing readonly properties during cloning (within the __clone() magic method).

During the two-part RFC vote, the first change of allowing readonly classes to be extended by non-readonly classes was rejected. The second change of making it possible to reinitialize readonly properties during cloning was accepted.

RFC Implemented: More Appropriate Date/Time Exceptions πŸ’œ
RFC by Derick Rethans, proposed to introduce Date/Time extension-specific exceptions and errors. This detailed RFC suggests more specificity in the exceptions with exception classes such as DateInvalidTimeZoneException, and DateMalformedPeriodStringException as well as promoting some of the current PHP warnings to Error exceptions.

The changes are now merged.

Notable Mailing List Discussions

Merged Change Highlights

  • Alex Dowad continued with his series of improvements in mbstring extension optimizations. PHP 8.2 received several impactful performance improvements in mbstring extension too.
  • Jakub Zelenka πŸ’œ added a new INI directive max_multipart_body_parts to PHP 8.0, 8.1, and 8.2 (in addition to the master branch). When set, PHP limits the number of body parts PHP processes in multipart requests. This is to prevent a DoS attack vector reported as GHSA-54hq-v5wp-fqgv
  • Max Kellermann continued to clean up several extensions and the Zend engine.
  • David Carlier also continued his series of additions and improvements to the Socket extension, widening the features and their availability in various operating environments.
  • Niels Dossche implemented GH-9826, making it possible for class_alias() to work with internal classes. Previously, it was not possible to alias an internal class with class_alias(), and resulted in a ValueError exception saying the class must be a user-defined class.
The full list of commits since PHP Core Roundup #9 see here.

Support PHP Foundation

At PHP Foundation, we support, promote, and advance the PHP language. We financially support six part-time PHP core developers to contribute to the PHP project. You can help support PHP Foundation at OpenCollective.

A big thanks to all our sponsors β€” PHP Foundation is all of us!

Follow us on Twitter @ThePHPF to get the latest updates from the Foundation.
πŸ’œοΈ 🐘

PHP Roundup is prepared by Ayesh Karunaratne from PHP.Watch, a source for PHP News, Articles, Upcoming Changes, and more.
πŸŽ‰Β Β 1
Open Collective
Make your community sustainable.



  • Create a Collective
  • About Fiscal Hosting
  • Discover
  • Find a Fiscal Host
  • Become a sponsor
  • Become a Host