PHP Extended Lifecycle Support (ELS) allows you to continue using older versions of PHP while still receiving security updates for the language, without introducing breaking changes to your application.

The first and obvious question might be, “Why would I want to do that instead of simply updating PHP?” Assuming your organization can upgrade your existing application codebase to a more recent language version, while ensuring no bugs are introduced, and thoroughly testing every scenario, there’s still the issue of also needing to migrate dependencies.

Dependencies Are Just Someone Else’s Problem

…is not the correct mindset. Dependencies become your problem the moment they are added to your codebase. A problem in a dependency can break your application or make it vulnerable to security issues, regardless of the quality and security of your own code.

But don’t just take our word for it. Here are some statistics to highlight the issue.

The Packagist Archive project (https://github.com/bettergistco/PackagistArchive) “contains virtually every active package and thousands of inactive packages published to Packagist,” the primary repository for PHP packages in the industry.

Interesting statistics provided include a table with the maximum reported version number of the packages:

 version | count  

———+——–

     5.0 |   1038

     5.1 |   1388

     5.2 |   3205

     5.3 |  34318

     5.4 |  58898

     5.5 |  76834

     5.6 |  96168

     7.0 | 121782

     7.1 | 149362

     7.2 | 171130

     7.3 | 183333

     7.4 | 206935

     8.0 | 195895

     8.1 | 216676

     8.2 | 215960

     8.3 | 215519

We observe that a staggering number of packages support only PHP version 5.6, with over 96,000 packages claiming that as the supported version. This means approximately 1 in 20 packages out of all available PHP packages may not be upgradeable to a more recent version of PHP without additional effort to ensure compatibility.

If 1 in 20 seems manageable, consider that the average project has dozens of dependencies, from simple helpers to complex frameworks.

But Surely Every Package Maintainer Will Update Their Packages

…or not. Over 29,000 packages are marked “dead,” meaning they are no longer actively supported. However, that doesn’t stop developers from using them, even years after they were last updated. Introducing these to a new version of PHP, which they were never designed for, is a sure way to break their functionality, especially given PHP’s tendency to introduce breaking changes with every version upgrade.

Upgrading PHP: The Right Choice, But Not Always Feasible

Upgrading to a more recent version of PHP is the ideal scenario. However, real-world situations, such as unsupported dependencies, the effort required, the costs associated with such an endeavor, and the lack of any immediate and tangible benefits to the application beyond “working just as it did before,” make the upgrade less appealing.

Most organizations will then seek alternatives – ensuring the security of PHP updates without the associated breakage. This is where PHP ELS can help. Find out more here.

The post Crunching Some Numbers on PHP Support appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Joao Correia. Read the original post at: https://tuxcare.com/blog/crunching-some-numbers-on-php-support/