PHP 8.2 security support sunset

The PHP core team retires version 8.2 from active security support on December 31, 2025, concluding the language’s three-year lifecycle. After that date the project stops releasing official security patches, leaving unpatched vulnerabilities to accumulate across content management systems, e-commerce platforms, and custom workloads still pinned to 8.2. Engineering leaders must accelerate migrations to PHP 8.3 or later, validate framework compatibility, and capture change-control evidence before compliance auditors flag unsupported runtimes.

Key engineering signals

• Official lifecycle. The PHP Foundation’s supported versions matrix lists December 2025 as the final month for 8.2 security fixes, with no extended support channel.
• Framework alignment. Major ecosystems—Symfony 7, Laravel 11, Drupal 11—have already declared compatibility with PHP 8.3, reducing blockers for production upgrades.
• Dependency exposure. Composer package maintainers are publishing notices that future releases will require PHP 8.3+, signaling imminent deprecation of 8.2 compatibility flags.

Aligning your controls

• SOC 2 CC7 and CC8. Document runtime upgrade plans, regression testing, and deployment approvals to prove unsupported software risk is mitigated.
• PCI DSS 6.3.2. Merchants using PHP-based commerce stacks must show they patched or upgraded to a supported runtime before the December deadline.
• ISO/IEC 27001 A.12.6.1. Maintain vulnerability management records that trace CVE remediation to the PHP engine uplift.

What to watch for

• Instrument SBOM scanners and vulnerability management tools to flag services still running PHP 8.2 as the sunset approaches.
• Alert when Composer lockfiles or container base images reference 8.2 builds, triggering remediation workflows.

Practical next steps

• Stand up parallel staging stacks on PHP 8.3 or 8.4, executing regression and performance test suites alongside production traffic simulations.
• Coordinate with CMS and plugin vendors to validate upgrade windows, ensuring third-party modules ship compatible releases before the support cutoff.
• Update documentation, runbooks, and customer communications so client success teams can explain the security rationale for runtime migrations.

Source material

• PHP.net: Supported versions and security support timeline
• Stitcher.io: What’s new in PHP 8.3 and ecosystem adoption signals

Orchestrating PHP platform upgrades—updating build pipelines, validating Composer ecosystems, and delivering the compliance artifacts auditors expect when deprecated runtimes retire.

Developer guidance

Development teams should adopt practices that ensure code quality and maintainability during and after this transition:

• Code review focus areas: Update code review checklists to include checks for deprecated patterns, new API usage, and migration-specific concerns. Establish review guidelines for changes that span multiple components.
• Documentation updates: Ensure README files, API documentation, and architectural decision records reflect the changes. Document rationale for setup choices to aid future maintenance.
• Version control practices: Use feature branches and semantic versioning to manage the transition. Tag releases clearly and maintain changelogs that highlight breaking changes and migration steps.
• Dependency management: Lock dependency versions during migration to ensure reproducible builds. Update package managers and lockfiles systematically to avoid version conflicts.
• Technical debt tracking: Document any temporary workarounds or deferred improvements introduced during migration. Create backlog items for post-migration cleanup and improvement.

Consistent application of development practices reduces risk and accelerates delivery of reliable software.

Sustaining operations

If you are affected, plan for ongoing maintenance and evolution of systems affected by this change:

• Support lifecycle awareness: Track support timelines for dependencies, runtimes, and platforms. Plan upgrades before end-of-life dates to maintain security patch coverage.
• Continuous improvement: Establish feedback loops to identify improvement opportunities. Monitor performance metrics and user feedback to guide iterative improvements.
• Knowledge management: Build team expertise through training, documentation, and knowledge sharing. Ensure institutional knowledge is preserved as team composition changes.
• Upgrade pathways: Maintain awareness of future versions and breaking changes. Plan incremental upgrades rather than large leap migrations where possible.
• Community engagement: Participate in relevant open source communities, user groups, or vendor programs. Stay informed about roadmaps, good practices, and common pitfalls.

preventive maintenance planning reduces technical debt accumulation and ensures systems remain secure, performant, and aligned with business needs.

• Test coverage analysis: Review existing test suites to identify gaps in coverage for affected functionality. Prioritize test creation for high-risk areas and critical user journeys.
• Regression testing: Establish full regression test suites to catch unintended side effects. Automate regression runs in CI/CD pipelines to catch issues early.
• Performance testing: Conduct load and stress testing to validate system behavior under production-like conditions. Establish performance baselines and monitor for degradation.
• Security testing: Include security-focused testing such as SAST, DAST, and dependency scanning. Address identified vulnerabilities before production deployment.
• User acceptance testing: Engage teams in UAT to validate that changes meet business requirements. Document acceptance criteria and sign-off procedures.

A full testing strategy provides confidence in changes and reduces the risk of production incidents.

Working across teams

Effective collaboration across teams ensures successful adoption and ongoing support:

• Cross-functional alignment: Coordinate with product, design, QA, and operations teams on setup timelines and dependencies. Establish regular sync meetings during transition periods.
• Communication channels: Create dedicated channels for questions, updates, and issue reporting related to this change. Ensure relevant teams are included in communications.
• Knowledge sharing: Document lessons learned and share good practices across teams. Conduct tech talks or workshops to build collective understanding.
• Escalation paths: Define clear escalation procedures for blocking issues. Ensure decision-makers are identified and available during critical phases.
• Retrospectives: Schedule post-setup retrospectives to capture insights and improve future transitions. Track action items and follow through on improvements.

Strong collaboration practices accelerate delivery and improve outcomes across the organization.

More on this topic

Further reading from our research library.

Developer · Credibility 86/100 · October 5, 2025

Python and Runtime upgrades

Python 3.9 reaches end-of-life this month, ending security fixes and requiring platform teams to complete migrations to Python 3.10+ before the final 3.9.20 security release ships.

Developer · Credibility 94/100 · October 1, 2025

Developer Enablement — Node.js 22

Node.js 22 hit Active LTS on October 1, 2025, which means you have got 30 months of maintenance ahead. The V8 13.2 engine brings performance improvements, and there is a new permission model if you want granular control…

Developer · Credibility 90/100 · December 8, 2025

PHP 8.2 Security Support Ends

PHP 8.2 security support continues but plan ahead—each PHP version has a limited support window. Stay on actively supported versions to ensure security patches. PHP 8.3 and 8.4 are your forward path.

Developer · Credibility 86/100 · July 8, 2025

Node.js and Runtime upgrades

Enterprises must complete Node.js 18 end-of-life remediation by July 2025 with board-approved upgrade governance, evidence-backed asset inventories, and reporting on residual technical debt and third-party exposure.

Developer · Credibility 94/100 · March 17, 2025

Developer Enablement — OpenJDK 25

OpenJDK 25 went GA in March 2025. This is the next LTS release after JDK 21, so it is the one most enterprises will target for production upgrades. Key features include Project Loom improvements (virtual threads), better…

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Secure Software Supply Chain Tooling Guide

  Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

• Developer Enablement & Platform Operations Guide

  Plan AI-assisted development, secure SDLC controls, and runtime upgrades using our research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

• Continuous Compliance CI/CD Guide

  Implement CI/CD pipelines that satisfy NIST SP 800-218, OMB M-24-04 secure software attestations, FedRAMP continuous monitoring, and CISA Secure-by-Design guidance while preserving…

Source material

1. PHP.net: Supported versions and security support timeline — php.net
2. Stitcher.io: What’s new in PHP 8.3 — stitcher.io
3. ISO/IEC 27034-1:2011 — Application Security — International Organization for Standardization