Co-Founder of 
PHP Versions Stats - 2017.1 Edition
It's stats o'clock! See 2014, 2015, 2016.1 and 2016.2 for previous similar posts.
A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last month for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.
PHP usage statistics
May 2017 (+/- diff from November 2016)
| All versions | Grouped | |||
| PHP 5.6.30 | 14.73% | PHP 7.0 | 36.12% (+1.11) | |
| PHP 7.0.15 | 9.53% | PHP 5.6 | 31.44% (-6.02) | |
| PHP 5.5.9 | 6.12% | PHP 7.1 | 17.64% (+16.28) | |
| PHP 7.0.17 | 6.00% | PHP 5.5 | 10.61% (-8.32) | |
| PHP 7.1.3 | 5.88% | PHP 5.4 | 3.11% (-2.29) | |
| PHP 7.1.4 | 3.65% | PHP 5.3 | 0.98% (-0.62) |
A few observations: With a big boost of PHP 7.1 installs, PHP 7 overall now represents over 50%. 5.3/5.4 are really tiny and even 5.5 is dropping significantly which is good as it is not maintained anymore since last summer. That's a total of 85% of installs done on supported versions, which is pretty good.
And because a few people have asked me this recently, while HHVM usage is not included above in the graph it is at 0.36% which is a third of PHP 5.3 usage and really hardly significant. I personally think it's fine to support it still in libraries if it just works, or if the fixes involved are minor. If not then it's probably not worth the time investment.
Also.. since I now have quite a bit of data accumulated and the pie chart format is kind of crappy to see the evolution, here is a new chart which shows the full historical dataset!
It is pretty interesting I think as it shows that 5.3/5.4/5.5 had people slowly migrating in bunches and the versions peaked at ~50% of the user base. On the other hand 5.6/7.0/7.1 peak around 35% which seems to indicate people are moving on faster to new versions. This is quite encouraging!
PHP requirements in Packages
The second dataset is which versions are required by all the PHP packages present on packagist. I only check the require statement in their current master version to see what the latest is.
PHP Requirements - Current Master - May 2017 (+/- diff from November 2016)
| 5.2 | 2.13% (-0.22) |
| 5.3 | 37.6% (-3.65) |
| 5.4 | 28.38% (-1.74) |
| 5.5 | 17.11% (+0.13) |
| 5.6 | 9.37% (+3.15) |
| 7.0 | 4.61% (+1.53) |
| 7.1 | 0.81% (+0.81) |
A few observations: This is as usual moving pretty slowly. I think I can give up trying to advise for change, it doesn't seem to be working.. On the other hand it looks like Symfony is going to use 7.0 or 7.1 for it's v4 to come out later this year, so hopefully that will shake things up a bit and make more libraries also realize they can bump to PHP 7.
PHP Requirements - Recent Master - May 2017 (+/- diff from Current Master November 2016)
In response to Nikita's comment below I ran the requirements numbers for packages that had some sort of commit activity over the last year. This excludes all stale/done packages and looks much more encouraging, but the difference points are probably overly large because they compare to the old numbers which included everything, therefore take those with a pinch of salt, and in the next six months update I'll have more trusty numbers.
| 5.2 | 1.52% (-0.83) |
| 5.3 | 23.15% (-18.1) |
| 5.4 | 24.41% (-5.71) |
| 5.5 | 23.7% (+6.72) |
| 5.6 | 16.81% (+10.59) |
| 7.0 | 8.73% (+5.65) |
| 7.1 | 1.67% (+1.67) |
May 06, 2017 // News, PHP // Post a comment
PHP Versions Stats - 2016.2 Edition
It's stats o'clock! See 2014, 2015 and 2016.1 for previous similar posts.
A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last 28 days for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.
PHP usage statistics
I have two datasets, from May 2016 and today, which shows the progression of various versions.
May 2016
| All versions | Grouped | |||
| PHP 5.5.9 | 11.87% | PHP 5.6 | 39.67% | |
| PHP 7.0.6 | 10.39% | PHP 5.5 | 29.56% | |
| PHP 5.6.20 | 8.41% | PHP 7.0 | 20.24% | |
| PHP 5.6.21 | 7.69% | PHP 5.4 | 7.64% | |
| PHP 5.6.19 | 4.71% | PHP 5.3 | 2.43% |
November 2016
| All versions | Grouped | |||
| PHP 7.0.12 | 8.58% | PHP 5.6 | 37.46% | |
| PHP 5.5.9 | 8.25% | PHP 7.0 | 35.01% | |
| PHP 7.0.11 | 7.62% | PHP 5.5 | 18.93% | |
| PHP 7.0.8 | 6.92% | PHP 5.4 | 5.40% | |
| PHP 5.6.26 | 6.12% | PHP 5.3 | 1.60% | |
| PHP 5.6.27 | 4.49% | PHP 7.1 | 1.36% |
A few observations: 5.3 and 5.4 at this point are gone as far as I am concerned! 5.5 still has a good presence but lost 12% in 6 months which is awesome. 5.6 basically stayed stable as I suspect people jumped from 5.5 to 7 directly probably when upgrading Ubuntu LTS. 7.0 gained 15% and is now close to being the most deployed version, 1 year after release! That should definitely encourage more libraries to require it IMO, and I hope it is good encouragement to PHP internals folks as well to see that people actually upgrade these days :) Interestingly 7.1 is almost passing 5.3 already and it isn't even released. That is probably coming from CI installs mostly but for example I already run 7.1 on my local dev environment and I hope others do too.
PHP requirements in Packages
The second dataset is which versions are required by all the PHP packages present on packagist. I only check the require statement in their current master version to see what the latest is.
PHP Requirements - Current Master - November 2016 (+/- diff from May 2016)
| 5.2 | 2.35% (-0.16) |
| 5.3 | 41.25% (-4.01) |
| 5.4 | 30.12% (-1.57) |
| 5.5 | 16.98% (+1.5) |
| 5.6 | 6.22% (+2.7) |
| 7.0 | 3.08% (+1.54) |
A few observations: I don't know how else to say this but PEOPLE COME ON! This is moving waaaay slower than people are migrating their servers, and it doesn't make any sense to me. I guess there are a lot of projects out there that are somewhat stale or stable and not really changing and that makes sense, but if you still maintain a library, don't hesitate to require 7 and bump the major release at this point. You will have more fun using all the cool features of the language instead of being stuck writing array().
As I wrote in the last update: I would like to encourage everyone to be a bit more aggressive in bumping PHP requirements when tagging new major releases of their libs. Don't forget that the old code does not go away, it's still there to be used by people using legacy PHP versions.
However it seems that a lot of people here do not read and just look at the pictures, so allow me to illustrate this last point.
November 18, 2016 // PHP // Post a comment
Typo Squatting and Packagist
Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.
The thesis mentions https://packagist.org as a good example as we use vendor namespaces:
[...] it is much more secure, if a package is named ntschacher/GoogleScraper instead of just GoogleScraper. The reason is: If the package name is misspelled and not the author name, this will not have any consequences, because the typo version cannot be registered in this namespace, since this author name is already reserved. [...] Because package names are much longer with two attributes, it is more likely that users will copy and paste the package name instead of remembering it.
Despite this mitigating fact, it is still technically possible to squat the vendor name, so I wanted to take a look at our repository data and see if I could spot any bad actors. I wrote a script that basically does the following:
- Read the list of all vendor names which have packages with at least 1000 downloads, as the others are unlikely targets or at least low value targets.
- Check the levenshtein distance of every vendor name against all others.
- If the distance is 1, then it checks for package names within those two vendors to see if they have any intersecting names. Those are then candidates for being typosquatters.
What did I find? 21 vendor pairs that conflict to some degree. Only one that looked like an actual typosquatting attempt, momolog/monolog, and it even had in the package description that it was a demonstration of typosquatting. I deleted it along with 5 others packages that were useless, but the others are still in place. A lot of it is just due to people renaming their vendor names, or simply people that picked similar names but don't seem to be abusing anything.
In the future it would be nice to automate this, or prevent the creation of vendors that are too similar to popular ones. However it is reassuring to see that there is no widespread abuse going on.
June 29, 2016 // PHP // Post a comment
PHP Versions Stats - 2016.1 Edition
Last year I posted stats about PHP versions, and the year before as well, both time in November. However this year I can't wait for November as I am curious to explore the PHP7 uptake!
A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last 28 days for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.
PHP usage statistics
I have two datasets, from November 2015 and today, which shows the progression of various versions. Note that the previous dataset was checking for Composer updates only, while the new one includes installs as well.
November 2015
| All versions | Grouped | |||
| PHP 5.5.9 | 29.63% | PHP 5.5 | 50.68% | |
| PHP 5.6.14 | 5.63% | PHP 5.6 | 22.09% | |
| PHP 5.3.3 | 4.60% | PHP 5.4 | 15.86% | |
| PHP 5.4.45 | 3.94% | PHP 5.3 | 9.90% | |
| PHP 5.6.13 | 3.39% | PHP 7.0 | 1.17% |
May 2016
| All versions | Grouped | |||
| PHP 5.5.9 | 11.87% | PHP 5.6 | 39.67% | |
| PHP 7.0.6 | 10.39% | PHP 5.5 | 29.56% | |
| PHP 5.6.20 | 8.41% | PHP 7.0 | 20.24% | |
| PHP 5.6.21 | 7.69% | PHP 5.4 | 7.64% | |
| PHP 5.6.19 | 4.71% | PHP 5.3 | 2.43% |
A few observations: 5.3 dropped to almost nothing which is great news! 5.4 is also down by almost 10% and is definitely on the way out. 5.5 is still big but less so, while 5.6 got a huge boost to become the main version. The big surprise is that we have 20% of PHP7 already! That is great news only six months after this major release came out.
PHP requirements in Packages
The second dataset is which versions are required by all the PHP packages present on packagist. I only check the require statement in their current master version to see what the latest is.
PHP Requirements - Current Master - May 2016 (+/- diff from November 2015)
| 5.2 | 2.51% (-0.3) |
| 5.3 | 45.26% (-6.43) |
| 5.4 | 31.69% (-1.76) |
| 5.5 | 15.48% (+5.29) |
| 5.6 | 3.52% (+1.84) |
| 7.0 | 1.54% (+1.34) |
A few observations: 5.3/5.4 are declining slowly, 5.5 is taking the bulk of it though which makes me a bit sad :) I wish there was more love for 7 now that it shipped in Ubuntu 16.04.
All in all, it seems like package requires are way behind actual version usage, so I would like to encourage everyone to be a bit more aggressive in bumping PHP requirements when tagging new major releases of their libs. Don't forget that the old code does not go away, it's still there to be used by people using legacy PHP versions.
June 06, 2016 // PHP // Post a comment
Goddamn it.
It's not often that one messes up really bad. But today is my day apparently.
TL;DR: I accidentally wiped a github organization that had a few popular repos on it. But it's all fixed now.
How the heck did this happen?
I was trying to remove a private repository, called nelmio, which incidentally has the same name as the organization it was in, so nelmio/nelmio. Then this happened:
- I wanted to check repo permissions so I went to https://github.com/nelmio/nelmio/settings/collaboration then followed a team link which led to https://github.com/orgs/nelmio/teams/foo
- Then I was like OK let's go back in the settings tab to delete this repo, except at this point the settings tab points to https://github.com/organizations/nelmio/settings/profile (i.e. the org settings not the repo)
- So at the end of the settings tab I see the familiar red delete button, hit it, it tells me to type the repo name (nelmio) as usual, but obviously I've done this many times so I don't read the fine print. It turns out in this case it wanted me to confirm the org name and not repo name.
- As I click "Confirm Delete" I saw that something in the message wasn't quite familiar, but then it reloaded the page and I find myself on the github home. I'm like "That's odd!", then more or less 2 seconds later this horrible feeling in my guts is confirmed, the entire org was wiped.
Mitigation
I immediately emailed GitHub support, and am still waiting for an answer. I kinda wish there was a hotline for such cases, even if it was billed 10 bucks a minute :)
After doing so, I started re-pushing repos into a new organization (nelmiobackup). I then changed the packagist.org package URLs to point to this new org, so that at least package installs should continue working relatively normally for the time being.
I did not want to re-create a nelmio org as I thought this might hamper any recovery effort by the github support folks, but someone had the great idea to do that for me, so now that the potential damage is done and they added me as owner, I forked everything from nelmiobackup to nelmio so that it's present at the old URL for people doing installs using composer.lock files that point to the old URL.
I hope GitHub will be able to fix this, but if not apparently http://ghtorrent.org/ has a ton of github data. We'll see what can be done.
Updates
Update1: GH support answered, it seems they can restore. I had to rename nelmio to nelmio-old for now to make room for the restore, so clones with old URLs will temporarily fail again.
Update2: All restored, I only have to re-create teams within the org, no biggie :) Total time was a bit over 1h from deletion, which isn't too bad in the grand scale of things.
P.S: If you feel like comparing this to the left-pad incident, this is quite different because I fucked up accidentally while the guy in question did it intentionally. I guess I can't stop you though.
P.P.S: If you want to laugh or say anything mean, please go away. I don't want to hear it right now. It is stressful enough as it is, and I am doing what I can.
May 31, 2016 // News // Post a comment
Common files in PHP packages
This one started in a peculiar way. Paul M. Jones announced a new version of his Producer tool, I had a look at it and saw that it recommended having a changelog called CHANGES.md by default. This irked me a bit because I always use CHANGELOG.md and hardly ever see that as a file name (it's the little things that matter, right?).
My first thought was to report an issue asking to change the default, but then I thought it's Paul, he will not just take my word for it, he will want hard facts. So here I am two days later. I queried GitHub's API for the file listing (only the root directory) of all PHP packages listed on packagist.org.
April 21, 2016 // PHP // Post a comment
Composer goes Gold
Five years ago today, Composer was born. In some ways it feels like yesterday, at least it doesn't feel like five years went by. In other ways it seems like a lifetime ago, and I can barely remember what it was like to write PHP code without having a whole ecosystem at my fingertips.
Composer 1.0.0
Today I have the pleasure of announcing that the first 1.0.0 stable release is out and available for immediate download!
It has been a long time coming, but we fixed a few last critical issues in the last few months that finally allow me to take this step. Going forward I plan on releasing more frequently as well ;)
Update channels
One big change that happened recently is that by default the Composer installer and composer self-update both install stable releases by default. This is great to avoid bad surprises if you run self-update as part of your deployment, but it also means that the feedback loop gets longer for us when we do changes. Therefore I really hope that we can get enough people running frequent self-updates using the preview (alpha/beta/..) and especially snapshot (dev builds) channels.
My recommendation would be to run regular updates for deployment/builds to have stability, run self-update --preview in CI if you can to make sure you test at least pre-release versions. And on dev environments composer self-update --snapshot would give you the latest and shiniest Composer has to offer. This will ensure we spot regressions or mistakes as early as possible, and thus avoid breaking things in stable releases.
Composer Gold Edition
Finally, in an attempt to mark the fact that Composer has finally gone gold, I wanted to do something special.
My girlfriend had a brilliant idea, and a few days and a couple express deliveries later here we are. We made an actual Composer gold master copy of the 1.0 release, on a floppy!
Collector items are no fun if you can't collect them though, so you can head to eBay now to bid on it if you'd like to own it!
Here's to the next five years (for the 2.0, hah.)!
April 04, 2016 // News, PHP // Post a comment
Toran Proxy Updates
Over the last month I spent quite some time bringing Toran Proxy up to speed with the times, and added a few features along the way. I haven't blogged about it in a while so I thought an update was overdue.
Toran what?
First of a all a quick note about Toran Proxy, in case you don't know about it. You can check the website for details but in two words it is a way to host private packages, as well as to mirror github, packagist and others so that if they break down you can still run composer installs from your Toran setup. It is a paid product but money goes to fund Composer development and Packagist hosting as well so you will hopefully agree it is for a good cause ;)
Drupal, Magento and WordPress support
v1.3 added the capability to mirror other public repositories, like the WPackagist one for WordPress, the Firegento repo for Magento or Drupal's Packagist setup. These projects have large plugin ecosystems and they have chosen to publish them on their own repositories instead of using Packagist. Toran now lets you add these in the settings so that you can mirror public packages transparently no matter if they come from Packagist or another public repo.
Performance and UI improvements
It used to be a bit slow to run updates with many packages, as it was hitting the PHP application for every package. This has been fixed and updates should now run a lot faster.
As for UI, the new release brings an actual package detail page for your private packages so you can see which versions are available and what they require, as well as trigger instant updates from the UI.
If you haven't yet, go try it out with the personal edition and I hope you will then consider getting a license to use it in your company!
April 04, 2016 // News, PHP // Post a comment
The Road to Monolog 2.0
Monolog's first commit was on February 17th, 2011. That is almost 5 years ago! I have now been thinking for quite a while that it would be nice to start on a v2, and being able to drop some baggage.
One of the main questions when doing a major release is which minimum PHP version to support going forward. Last summer I decided I wanted to do a big jump from 5.3 and directly target PHP 7. It provides a lot of nice features as well as performance improvements, and as Monolog is one of the most installed packages on Packagist I wanted to help nudge everyone towards PHP 7.
Back then 7.0 was not out though, so I played around a bit but I did not do much progress. Another point that was limiting me was that I did not want to bother people adding Monolog to their project via composer require monolog/monolog as that used to just take the last release available.
However PHP 7.0 is now out, and as you may have seen in my previous post I have fixed the issue in composer require. I also emailed several projects that had dangerous requirements on Monolog a few months ago to ensure they would not upgrade to the 2.0 version accidentally.
The road forward
Monolog's master branch now targets PHP 7, and the branch-alias has been updated to 2.0 so work can now fully begin on the upcoming version. There is an old issue with a list of ideas and tasks for 2.0, but I am open to more ideas. There is also a 2.0 milestone with some more issues and PRs that have to be considered for inclusion.
If you use Monolog a lot and have thoughts on what should change in the design, please open an issue! If you want to help grab one of those tasks (except those that aren't clear or still need to be decided on) and send a pull request! It's a great chance to play with PHP 7 features if you haven't yet. I took care of some things already but there is plenty more to be done and I definitely can't do it alone.
A word of caution
Please check your composer.json, if you require monolog/monolog dev-master you will have issues next time you update! Please fix that immediately and use ^1.17 instead, it will ensure you don't upgrade to 2.0 accidentally.
Supporting the past
Obviously, not everyone will upgrade to PHP 7 immediately, and Monolog v2 will probably not be ready and stable for a few months, so Monolog 1 will still be maintained. I don't have a concrete date in mind of when the maintenance will stop, but it is anyway pretty stable so I don't think maintaining it will be a big deal.
There is now a 1.x branch where bug fixes and features applicable to both versions should go, and 1.x releases will be created from there in the future.
December 18, 2015 // News, PHP // Post a comment
New Composer Patterns
Here is a short update on some nice little features that have become available in the last year in Composer.
Checking dependencies for bad patterns
You may know about the composer validate command, but did you know about its new --with-dependencies / -A flag? It lets you validate both your project and all your dependencies at once!
This is quite nice to check if any of your dependencies has unsafe requirements like >= or similar issues. You can also combine it with --strict to make sure that any warning results in a failure exit code, so you can detect warnings in your CI builds for example by checking the command exit code.
Try it out: composer validate -A --strict
Referencing scripts to avoid duplication
You can now reference other scripts by name to avoid having to define the exact same script command in multiple places (e.g. post-update-cmd and post-install-cmd is a common pattern). See the docs for an example. This could be applied to the symfony standard composer.json for example. The referenced script can even be array of scripts!
Defining your target production environment in composer.json
The config.platform option lets you emulate which platform packages you have available on your prod environment. That way even if you have a more recent PHP version or are missing an extension locally for example, composer will always resolve packages assuming that you have the packages you declared installed.
Let's take a concrete example. If I am running PHP 5.6 in production but use PHP 7 to develop on my machine, I might end up installing a package that depends on PHP 7 and not notice the problem until I deploy and things break on the server. Obviously it is better to develop with the exact same versions to avoid any surprises but this isn't always practical and especially when working on open source libraries I think many don't use VMs but instead work with whatever PHP they have on their host system.
In Composer for example we want to guarantee that we at least work with php5.3, so we tell Composer to fake the PHP version to be 5.3.9 when running updates, no matter what PHP version you run it with. If we did not do this for example the symfony/console package we depend on would upgrade to v3, but as symfony/console v3 requires at least PHP 5.5 it does not happen thanks to the platform config.
Excluding paths from the optimized classmap
When you run composer dump-autoload -o to get an optimized autoloader, Composer scans all files and builds a huge classmap, even for packages that define autoload rules as psr-0 or psr-4. This is great but in some cases you have some classes in the psr-4 path that you actually don't want to be included in this optimized map. One typical example of this would be Symfony2 bundles that follow the best practices layout of having all sources at the root of the repo. In this case the psr-4 path is "" (repo root) and there is a Tests/ folder which contains the test classes. Obviously in production we don't want to include those test classes in the optimized class map as it is just a waste. Adding the second line here to the autoload config will make sure they are not included:
"autoload": {
"psr-4": { "Nelmio\\CorsBundle\\": "" },
"exclude-from-classmap": ["/Tests/"]
},
Requiring packages easily and safely
For quite a while now we have had the ability of running composer require some/package without specifying the version and Composer just figures out the best requirement for you. However this came with a catch, as it always picked the latest version available. This usually works but if the latest version requires a newer PHP version than what you have on your machine it would actually fail. I fixed that and it now looks at your PHP version (or config.platform.php value) to determine which is the best version to install. This is great because it enables package authors to require PHP 7 in their new package version for example and anyone using composer require will not accidentally get this newer version installed until they are ready and using PHP 7 themselves. More on that note soon!
I hope these tips helped bring a bit more attention to those cool new features we have added!
December 18, 2015 // News, PHP // Post a comment