PHP Foundation 2025: 42% of PHP Core, a New Security Team, and What's Next

The PHP Foundation published its 2025 Impact and Transparency Report on May 27, 2026, and it is one of the most substantive documents the organization has produced. Combined with the announcement a week earlier of a new Ecosystem Security Team funded through a Linux Foundation grant, the picture that emerges is of a Foundation operating at a different scale than it was even two years ago.

If you care about the long-term health of the language you build on every day, this is worth reading beyond the headlines.

What the Numbers Actually Mean

The raw metrics from 2025 are striking. The eleven Foundation-funded contractors collectively logged contributions that represent 42% of all commits to php-src. That is not a vanity number. It means that nearly half of the commits keeping PHP moving forward would not exist without sponsored contributors. The Foundation also accounted for 32% of merged PRs and 25% of bug-fix PRs across the PHP core repository.

The individual breakdown is equally telling. Gina P. Banyard alone authored 173 merged PRs in 2025, roughly 16% of all merged PRs to php-src for the year. Ilija Tovilo contributed 565 commits, making him the leading committer on the team. These are not people doing the bare minimum for a paycheck. They are carrying a large share of what keeps PHP relevant.

On the financial side, the Foundation received $730,534 in donations against $784,376 in expenses. That gap of approximately $139,000 was a deliberate drawdown of reserves, not a crisis. But the report is frank that reducing the gap is a 2026 priority, and that the number of sponsors declined year-over-year from the previous highs. The open source funding environment is difficult right now, and the Foundation is navigating that honestly.

The Technical Work: More Than Maintenance

PHP 8.5 shipped in 2025, and Foundation contractors drove or co-drove most of the meaningful features in it.

The URL/URI parsing API landed after Máté Kocsis drove the RFC through and contributed upstream fixes to the uriparser C library. This is the most significant standard-library addition PHP has seen in years. If you have ever dealt with the inconsistent behavior of parse_url(), the new ext/uri extension is the replacement you have been waiting for.

Arnaud Le Blanc’s Tail Call VM technique removed PHP’s dependency on a single compiler for peak performance. He also co-developed Partial Function Applications v2 and Context Managers with Larry Garfield, two RFCs that are currently working through implementation and discussion respectively. Context Managers in particular would bring a with-statement pattern to PHP, enabling cleaner resource management.

The Streams Modernization project, funded by the Sovereign Tech Fund, delivered a Polling API, TLS 1.3 improvements including session resumption, redesigned stream error handling, and an io_uring/IOCP abstraction layer. This is foundational infrastructure work that most PHP developers will never touch directly but will benefit from in every network-heavy application.

Joe Watkins joined the Foundation team in the second half of 2025 and published ORT, a PHP tensor library with backends targeting SSE2/SSE4.1/AVX2/AVX512, NEON, CUDA, RISC-V64, and WebAssembly. The goal is positioning PHP to participate meaningfully in AI and machine learning workloads. It is ambitious, and it demonstrates that the Foundation is thinking about where PHP needs to be in five years, not just where it is today.

PIE 1.0 and the PECL Transition

James Titcumb shipped PIE 1.0 in June 2025 and authored 90% of the codebase. The formal deprecation process for PECL has begun.

For developers who install PHP extensions, this matters. PECL has been showing its age for years: no Composer integration, no semver, inconsistent metadata. PIE replaces it with a tool built on modern PHP tooling conventions.

Installing an extension with PIE looks like this:

# Install an extension
php pie install xdebug/xdebug

# Show available extensions
php pie search redis

# Install a specific version
php pie install xdebug/xdebug:^3.4

The Composer-style package names and familiar CLI interface mean there is almost no learning curve for anyone already using Composer. The RFC to formally adopt PIE and deprecate PECL was accepted, so the transition is not a maybe. If you maintain extensions that are currently on PECL, this is the time to start planning the migration.

The Ecosystem Security Team

On May 18, 2026, the Foundation announced a separate but related initiative: a PHP Ecosystem Security Team, funded by a grant from Alpha-Omega (part of the Linux Foundation’s $12.5 million open source security funding round).

The person leading it is Volker Dusch, who is also one of the PHP 8.5 Release Managers and a former PHPUnit maintainer. His day job is PHP performance and monitoring tooling at Tideways, which gave him direct experience with the kinds of problems the security team will tackle.

The problem the team is addressing has two sides. New AI-assisted security analysis tools are finding real vulnerabilities in PHP packages faster than ever. At the same time, the volume of low-quality AI-generated vulnerability reports has increased dramatically, overwhelming maintainers and burying legitimate issues under noise.

The team’s mandate covers both:

Triage vulnerability reports and manage responsible disclosure
Develop and share tooling for discovering and remediating vulnerabilities
Support projects with few or no active maintainers
Coordinate access to new security tooling across the PHP ecosystem

The initial funding covers a six-month full-time engagement, with the goal of building a sustainability plan for ongoing work. The Drupal Association received a similar grant at the same time, and the two teams plan to collaborate on shared tooling and approaches.

For maintainers of open source PHP packages, Volker has explicitly asked people to reach out. If you want to put your project forward for security analysis or want to collaborate, you can contact him at volker@thephp.foundation or find him on Mastodon at @edorian@phpc.social.

What the Foundation Is Working Toward in 2026

The report’s 2026 goals section is worth reading in full, but a few stand out.

The executive transition initiated in Q4 2025 is ongoing. The Foundation is also onboarding a Director of Fundraising, which suggests they are taking the sponsor decline seriously and investing in addressing it structurally rather than just hoping it reverses.

On the technical side, the planned Cryptography working group is notable. PHP’s cryptography story has historically been fragmented across multiple extensions with inconsistent APIs. A working group focused on this area could lead to meaningful standardization.

The Foundation also called out plans to build a “PHP Next” marketing campaign aimed at highlighting PHP’s modernization to audiences who may have a dated mental model of the language. This is overdue. PHP 8.x is a fundamentally different language than the PHP most critics picture when they dismiss it, and the Foundation has real data to make that case.

Why This Matters for PHP Developers

The PHP Foundation is not perfect. The sponsorship decline is a real concern, and the gap between expenses and incoming donations cannot be sustained indefinitely on reserves. The Ambassador Program and the “PHP Next” campaign were planned for 2025 and did not ship.

But the technical output in 2025 was genuinely impressive. Eleven contractors, 2,929 commits, 42% of php-src activity. The language shipped a major release. The extension installer reached version 1.0. The security infrastructure is getting a dedicated team funded by an external grant. Streams modernization work that will run quietly under every PHP application is well underway.

If you use PHP professionally and you are not already sponsoring the Foundation, it is worth considering. You can view the full financial picture and contribute at opencollective.com/phpfoundation. The Foundation’s budget is completely transparent, which is unusual in open source and worth recognizing.

The language you build on every day has eleven people working full-time to keep it moving. That is worth knowing about.