Supply Chain Security in the PHP Ecosystem

Supply Chain Security in the PHP Ecosystem

Every modern PHP application is built on a foundation of third-party packages, each with its own dependencies and its own trust assumptions. Recent supply chain attacks in neighbouring ecosystems have made it painfully clear that what ends up in your vendor directory matters as much as the code you write yourself.

For years, the PHP ecosystem relied on informal tooling to keep vulnerable packages out: reports printed after an install had already completed, and a clever abuse of the dependency resolver's conflict rules to make known-bad versions uninstallable. Recent Composer versions have replaced both with something stronger: advisory enforcement has moved into the resolver itself, and the same machinery has been generalised so that malware flags, policy rules, and whatever category comes next can plug into the same pipeline.

This talk walks through the PHP software stack's supply chain from the bottom up. Where does advisory data come from, and how is it aggregated? How do resolver-level blocking and filter lists actually work? How do they relate to, and supersede, the older tooling? Where can the new defaults bite you in ways a passive audit never did? And what should both application developers and maintainers do today?

This presentation currently exists only as an idea and has not yet been accepted by a conference.

About me

My name is Sebastian Bergmann and I am the creator of PHPUnit, the industry-standard testing framework that has greatly improved the professionalism of PHP software development.

As founding partner of and consultant with The PHP Consulting Company (thePHP.cc), I assist teams in adopting PHPUnit, optimizing its use, refining development workflows, and writing more testable code.

More events where you can meet me are listed here.

My interactive online training courses are designed to provide you with practical knowledge that you can apply immediately. The next ones starting soon are listed here.

Upcoming events

Berlin
-

SymfonyLive Berlin

From to , I will be in Berlin at the SymfonyLive. There I will give the presentation "Debugging Performance in PHP".

Event Website
More events

Stay up to date with PHPUnit

You can follow @phpunit@phpc.social to stay up to date with PHPUnit's development.

You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

Back to overview