Hi

It hasn't been long since I wrote my post about Dependency Hygiene; and many things happened since then. First, there was a side-chain attack on a popular PHP package, which was luckily caught very soon after the affected version got published. Then there was a change at GitHub that caused Composer to print out GitHub access tokens in public action logs. As far as we know, the bug hasn't been exploited and was quickly fixed.

There's also good news, though: the PHP Foundation just announced they have gotten a grant from the Linux Foundation which allows them to pay a full-time employee to work on ecosystem security.

All these things show that PHP definitely isn't immune to malicious attackers, but also that the community is very serious about it. I'm currently working on some more content and interviews about these happenings, and I'll keep you posted about them soon.

From the feed

In other news, here are some of the things that caught my eye for the past weeks:

• Larry wrote about the new generics RFC. I'm also working on a video and blog post about it, by the way. It's coming!
• There's a new RFC about scope closures. Very interesting, I hope it passes.
• Internals have been discussing PHP's social media presence. I have a couple thoughts about it myself as well.
• Hardening Firefox with Claude Mythos; speaking of security.
• Sustainable open source
• You can share your thoughts on the new generics RFC as well
• From experience to shared knowledge; PHP Reads is a pretty good new platform that I enjoy following.

That's all I have today, have a good week!

Brent