Supply Chain Security in the PHP Ecosystem

Every modern PHP application is built on a foundation of third-party packages, each with its own dependencies and its own trust assumptions. Recent supply chain attacks in neighbouring ecosystems have made it painfully clear that what ends up in your vendor directory matters as much as the code you write yourself.

For years, the PHP ecosystem relied on informal tooling to keep vulnerable packages out: reports printed after an install had already completed, and a clever abuse of the dependency resolver's conflict rules to make known-bad versions uninstallable. Recent Composer versions have replaced both with something stronger: advisory enforcement has moved into the resolver itself, and the same machinery has been generalised so that malware flags, policy rules, and whatever category comes next can plug into the same pipeline.

This talk walks through the PHP software stack's supply chain from the bottom up. Where does advisory data come from, and how is it aggregated? How do resolver-level blocking and filter lists actually work? How do they relate to, and supersede, the older tooling? Where can the new defaults bite you in ways a passive audit never did? And what should both application developers and maintainers do today?

This presentation currently exists only as an idea and has not yet been accepted by a conference.

About me

I am the creator and maintainer of PHPUnit, the de facto standard testing framework within the PHP ecosystem. Used by millions of developers, it is embedded in the build pipelines of start-ups, Fortune 500 companies, and public sector organisations alike. I serve on the board of the PHP Foundation and am a co-founder of thePHP.cc, where I advise organisations on testing strategy, software architecture, and dependency management.

I have over 25 years of experience working with Open Source software, having contributed to the PHP language itself as well as the tools on which that ecosystem depends. PHPUnit is one of those packages that quietly lands in millions of vendor directories, which means I see supply chain security from both ends: as a maintainer whose releases others must be able to trust, and as a consultant to organisations that need to know what ended up in their own. That experience, as a maintainer of critical dependencies and an adviser to the people who depend on them, informs my writing and speaking on software quality, security, and the trust assumptions baked into every dependency we install.

Berlin

June 8, 2026 - June 12, 2026

International PHP Conference

From June 8, 2026 to June 12, 2026, I will be in Berlin at the International PHP Conference. There I will give the presentations "Test-Driven Security" and "Turbo-Charging Your PHPUnit Suite".

Event Website

Stay up to date with PHPUnit

You can follow @phpunit@phpc.social to stay up to date with PHPUnit's development.

You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

Supply Chain Security in the PHP Ecosystem

About me

Upcoming events

International PHP Conference

Stay up to date with PHPUnit