Developer Briefing — December 8, 2025

Executive briefing: PHP 8.2 leaves security support on 8 December 2025. After that date, no upstream CVE patches will land. This briefing delivers a deep migration runbook with compatibility test tables, diagrams, and metrics, plus navigation to the pillar hub, the PHP 8.2 security sunset roadmap, and related briefs on Data Act connected-product readiness and ISO 27001:2022 transition.

Why this cutover matters

• No CVE fixes: Vulnerabilities disclosed after 8 December 2025 will not be patched upstream.
• Dependency pressure: Frameworks (Laravel, Symfony), extensions, and containers will drop 8.2 support rapidly.
• Compliance exposure: Unsupported runtimes complicate PCI DSS, SOC 2, and ISO 27001 evidence.
• Cloud image retirement: Managed platform images will deprecate 8.2, forcing upgrades or custom maintenance.

Upgrade sequence (8.2 → 8.3/8.4)

Compatibility focus areas

• Removed dynamic properties and tightened readonly enforcement—refactor legacy classes.
• Deprecation of ${str} variable interpolation in strings—update templates and legacy code.
• Locale-sensitive case conversion changes—verify authentication and slug generation.
• Extension updates (intl, gd, sodium) that may alter defaults—lock tested versions.
• Updated random extension APIs and deprecations—audit cryptography wrappers.

Test matrix

Architecture diagram

Metrics to track

• Coverage: % of services migrated to 8.3+; target 100% by mid-November 2025.
• Defect rate: Production incidents attributable to upgrade per 1,000 deployments; target < 0.5.
• Performance delta: Latency/throughput vs 8.2 baseline; target >= parity.
• Security posture: Count of high/critical CVEs in runtime images; target 0.
• Rollback frequency: Number of rollbacks triggered during migration; investigate >1 per week.
• Supportability: % of third-party extensions with maintained 8.3+ releases; target 100%.

Risk controls and evidence

• Document php.ini diffs and hardening steps; store in configuration management.
• Preserve test reports, performance benchmarks, and security scan results for audit.
• Update BCP/DR runbooks to reflect restored images and library baselines.
• Capture change-approval records and rollback decisions for each rollout wave.
• Maintain inventory of unsupported 8.2 workloads with isolation and decommission dates.

Vendor and platform alignment

Coordinate with managed hosting, APM agents, and payment gateways to confirm 8.3/8.4 compatibility. Lock image versions with supported OpenSSL, ICU, and glibc builds. Require vendors to provide end-of-support timelines and migration guides. Validate CDN, WAF, and identity integrations in staging before promoting images.

Rollout governance

Use change-advisory approvals with clear rollback criteria. Stage migrations by risk tier: external customer apps first in low-traffic windows, then internal tools, finally batch jobs. Ensure observability dashboards show error budgets, memory usage, and queue depths specific to 8.3/8.4 changes.

Training and communications

Publish developer notes on deprecated features, provide code mods for dynamic properties, and host office hours. Communicate cutover timelines to customer support and sales engineering so they can prepare messaging on maintenance windows and compatibility.

Bottom line: Treat December 2025 as the hard stop for PHP 8.2. Finish inventories, compatibility fixes, and blue/green rollouts early to avoid unpatched runtimes and compliance gaps.

Supply-chain and container hygiene

Rebuild base images with updated compilers, OpenSSL, and ICU, and sign images to enforce provenance. Scan images for CVEs pre- and post-upgrade and block deployments with high/critical findings. Mirror composer dependencies to an internal registry to reduce supply-chain risk.

Compliance alignment

Map migration evidence to PCI DSS 4.0 requirements for secure software lifecycle, SOC 2 CC7/CC8 controls on change management and availability, and ISO 27001 Annex A controls on secure development. Store mappings with supporting artifacts for auditors.

Fallback and extended support considerations

If certain workloads cannot migrate in time, isolate them on dedicated hosts, restrict internet egress, and apply virtual patching (WAF rules, configuration hardening). Document sunset dates and ownership, and evaluate commercial extended-support options as a temporary bridge.

Post-migration validation

After each rollout wave, verify monitoring baselines, error budgets, and customer-facing SLAs. Capture lessons learned and update the runbook; schedule a final post-mortem in December 2025 to close remaining risks.

Database and cache compatibility

Validate PDO drivers, Redis/memcached clients, and message-queue libraries against 8.3/8.4. Confirm serialization changes do not affect session handling or queue payloads; run data-migration rehearsals if serialization formats changed.

User acceptance and rollback drills

Schedule UAT cycles with business owners for high-traffic workflows. Practice rollbacks by failing over to 8.2 images in staging, measuring data consistency, and ensuring feature flags guard incompatible code paths.

Observability enhancements

Instrument new metrics for GC cycles, JIT behaviour, and memory fragmentation introduced by 8.3/8.4. Update alert thresholds and dashboards to detect regressions early in canary phases.

Documentation and knowledge transfer

Create concise upgrade guides, code examples, and FAQs for engineering teams. Track adoption via pull requests and linting rules that flag deprecated patterns. Archive decisions on compatibility shims and sunset dates.

Business continuity overlays

Update incident runbooks to reflect new runtime versions, ensuring recovery automation, health checks, and configuration management references are current. Validate backup encryption compatibility and retention policies post-upgrade.

Finance and licensing checks

Review commercial support agreements, extension licensing, and cloud image costs for 8.3/8.4. Adjust budgets for increased scanning, testing, or commercial extended support if any 8.2 workloads persist temporarily.

Security scanning cadence

Embed SCA/SAST/DAST scans in CI for all PHP services and require clean reports before promotion. Schedule weekly image rescans during migration to capture late-breaking CVEs affecting 8.3/8.4 dependencies.

Operational metrics for leadership

Provide weekly dashboards on migration coverage, defect burn-down, performance deltas, and open risks. Use these metrics to prioritise engineering capacity and to brief risk/compliance stakeholders.

Legacy isolation strategy

If any PHP 8.2 systems must remain temporarily, segregate them in isolated network segments with tightened firewall rules, aggressive monitoring, and restricted authentication. Plan phased decommissioning dates and budget for emergency patches if zero-days emerge.

Customer-facing reliability

Coordinate with product owners to schedule releases outside of peak periods, communicate maintenance windows, and monitor user experience closely during cutovers. Capture customer feedback to refine deployment waves.

Data migration and schema checks

Review database migrations for compatibility with PHP 8.3/8.4 drivers and ensure charset/collation settings remain stable. Validate that ORM-generated queries behave consistently across versions.

Upgrade sign-off

Require joint approval from product owners, SRE, and security before declaring 8.3/8.4 the default runtime. Record sign-offs with links to test evidence, rollback plans, and updated SLAs.