Tech News and Updates

PHP's updated support policy: extended security support and refined release cycle

PHP's updated support policy: extended security support and refined release cycle

The PHP project has announced an extension of security support for its versions, increasing the duration from one to two years. This decision, outlined in a recent RFC update, also addresses other aspects of the release process, including the introduction of minor features.


The release cycle for PHP follows a structured pattern:

Yearly Release Cycle: PHP typically releases new versions annually.

Release Life Cycle (4 years):

  • First 2 years: Bug fixes only.
  • Next 2 years: Security fixes only.

Key Points from the RFC:


No feature additions after the final x.y.0 release.

Backward compatibility must be maintained within the same major release (e.g., 8.x.x).

Binary compatibility (API or ABI) can be broken between feature releases (e.g., 8.3 to 8.4).


Major Version Number (X.y.z to X+1.0.0):

  • Bug fixes, new features.
  • Extensions support may be moved to PECL.
  • Backward compatibility, API, and ABI compatibility can be broken.

Minor Version Number (x.Y.z to x.Y+1.z):

  • Bug fixes, new features.
  • Extensions support may move to PECL.
  • Backward compatibility and API compatibility must be kept.

Patch Version Number (x.y.Z to x.yZ+1):

  • Bug fixes and security patches only.
  • Extensions support cannot be removed.
  • Backward compatibility and ABI/API compatibility must be kept.


Breaking backward compatibility, APIs, or ABIs should have a clear rationale and be accompanied by RFCs, test cases, and patches.


The release timeline follows a structured process starting on the first Tuesday of July each year, lasting around 20 weeks with alpha, beta, and release candidate phases culminating in a general availability (GA) release.


  • Alpha Releases: Introduce new features following RFC procedures.
  • Beta Releases: Feature freeze and testing phase.
  • Release Candidates: No API/ABI changes; final testing phase before General Availability release.

Post-General Availability, there are scheduled bug fix and security releases for up to four years, synchronized with other release branches and focusing on addressing issues and maintaining security.


Feature selection and development follow the RFC process, with voting now conducted directly in RFCs for php.net members.


Release managers play a facilitating role in managing the release process, but decisions about features are community-driven and discussed publicly.


The process includes a call for release manager volunteers around three months before the next release cycle begins.


The RFC also addresses feature preview releases and security management, emphasizing thorough testing, security protocols, and collaboration with major distributions' security teams.


Overall, the extended security support and structured release cycle aim to enhance stability, security, and community collaboration within the PHP ecosystem.


In our blog, we post technology-related articles weekly. Follow us on Facebook and  Instagram to get notifications about updates.

Reading next

Addressing critical risks: what you need to know about Chrome 124 update
Unlocking the potential: Magento 2.4.7 brings PHP 8.3 support and more

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.