CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

PHP End-of-Life Schedule & Security Implications

php PHP 5.0+ Beginner
debt(d5/e7/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list rector and lynis — both are specialist tools (a code-modernisation tool and a system auditing tool respectively) that must be deliberately run. The version can also be spotted via `php -v` or X-Powered-By headers, but none of this is surfaced by a default linter in the normal development workflow, pushing it past d3.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix says to use Rector for an upgrade, but upgrading from an EOL PHP version (e.g. 5.6 or 7.x) to a supported version touches every file that uses deprecated or removed syntax, requires dependency compatibility checks across all packages, and typically spans the entire codebase plus deployment/infrastructure configuration. This is more than a single-component refactor, landing firmly at e7.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). The applies_to covers web, cli, and queue-worker contexts — essentially all PHP execution contexts. Running on an EOL version imposes a constant compliance and security overhead, blocks library upgrades (many modern packages drop EOL PHP support), and affects every developer and deployment pipeline, but it does not architecturally dictate every individual code change the way a b7 choice would.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field states exactly this trap: developers believe an EOL version is safe if no known exploits currently target it. This contradicts the security model of actively maintained software and is a well-documented but widely held wrong belief. New CVEs accumulate silently, making the 'no known exploit' assumption dangerously false — a serious cognitive trap scoring t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

PHP EOL PHP end of life PHP support lifecycle

TL;DR

Each PHP minor version receives active support for 2 years and security-only fixes for 1 more year — running an EOL PHP version means no patches for discovered vulnerabilities.

Explanation

The PHP release cycle: each new minor version gets 2 years of active support with bug fixes and security patches, followed by 1 year of security-only support, then end-of-life. After EOL, when a CVE is discovered for that PHP version, no patch will be released. The attacker knows which version you are running via X-Powered-By header or phpinfo(), knows the CVE exists, and can exploit it with a public PoC. The PHP EOL schedule is published at https://www.php.net/supported-versions.php.

Common Misconception

An EOL PHP version is safe if there are no known exploits — new CVEs are discovered constantly; EOL versions accumulate unpatched vulnerabilities over time.

Why It Matters

Running EOL PHP is a PCI-DSS compliance violation and a clear security risk — a single CVE in an EOL version can compromise the entire server.

Common Mistakes

  • Running PHP 5.6 or 7.x years after EOL with no upgrade plan
  • Assuming shared hosting will notify you when PHP goes EOL
  • Not testing against the latest PHP version proactively

Code Examples

✗ Vulnerable 
# Running PHP 7.4 (EOL Dec 2022) in production — no security patches:
# php --version
# PHP 7.4.33 (cli)
✓ Fixed 
# Check EOL status: php.net/supported-versions
# Upgrade path: 7.4 → 8.1 → 8.3
# php --version
# PHP 8.3.x (cli) — Active support until Nov 2026
Added 22 Mar 2026
Edited 23 Mar 2026
Views 107

Curated in Warsaw under one editorial standard. 1,463 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 3 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
ChatGPT 37 Perplexity 9 Google 8 Amazonbot 7 Unknown AI 4 SEMrush 4 Ahrefs 2 DuckDuckGo 1 Meta AI 1
Also referenced
PHP 7 Performance — 2x Faster Than PHP 5.6 34 Rector — Automated PHP Upgrades & Refactoring 34 Deprecated & Removed PHP Functions 30
How they use it
crawler 69 crawler_json 4
Related categories
php 9.3k style 1.5k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Check your PHP version with php -v, compare to php.net/supported-versions.php, and start a Rector upgrade if you are on an EOL version
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
php -v showing 5.x or 7.0/7.1/7.2/7.3; X-Powered-By exposing EOL version; no upgrade plan
Auto-detectable: ✓ Yes rector lynis
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-1104
✓ schema.org compliant