The PHP Podcast 2026.05.28

PHP Podcast – May 28, 2026 Hosts: Eric Van Johnson & John Congdon Links from the show: PHP barely avoided disaster – YouTube CVE-2026-45793: Anatomy of a 14-Hour PHP Supply-Chain Near-Miss · graycoreio/github-actions-magento2 · Discussion #261 · GitHub An Update on Composer & Packagist Supply Chain Security PHP Tek: A Homecoming by Ben Ramsey Tek Roundup – Roave Speaking at PHP Tek 2026! #tech – YouTube PHP Tek is behind us, the ballroom is cleaned up, and we’re back to talk about all of it. Here’s what we covered: RIP Archie Bot After a long fight to keep him alive, Eric has officially retired Archie — the Discord bot built on OpenClaw that handled team standups, monitored PHP Architect’s Twitter/X group for join requests, and did a surprising amount of background work for the consulting team. When Anthropic shut down the OpenClaw API, Eric tried every model and service he could find to bring Archie back to form, but nothing got him all the way there. After a month of “almost working,” the call was made. He’s dead. Eric hasn’t ruled out revisiting it eventually — maybe with Claude Cowork — but for now, the bot is gone and the starting-soon link in Discord is broken because of it. Reviving a Six-Year-Old Codebase A client PHP Architect Consulting worked with from 2018 to 2021 has come back. The project — a reimagining of their app — was killed off when COVID hit and the CEO couldn’t align with the team’s vision. The last commit was six years ago. Now the client wants to bring it back, and Eric is spending the next few days analyzing what it’ll take to get it running again. Outdated packages, an old PHP version, and the general entropy of time are all on the checklist. Eric has genuine affection for this codebase — it was one of the first projects where he felt like the team was truly operating as a team, not just as an extension of him. Now it’s time to dust it off. Partner Spotlight: PHP Score → Our CVEs The PHP Score sponsor read may be getting a refresh — the folks at Artisan Build, who built PHP Score, have a new product they’re excited about: ourCVEs.com. It monitors your codebase’s Composer and NPM packages — and optionally your servers via a lightweight agent — for exposure to open CVEs, and alerts you when something needs attention. Pricing is generous: free forever for open source projects, $17/month for solo devs, $83/month for teams (or $1,000/year), with server monitoring scaling at $1 per server above 50. Ed from Artisan Build was at PHP Tek and made a strong impression. Go check it out at ourcves.com. How PHP Barely Avoided a Supply Chain Disaster Brent Roose released a 22-minute video covering a near-miss in the PHP ecosystem involving GitHub and Composer. The short version: GitHub changed their token format and briefly released it before Composer was ready to handle it. Composer was logging the token when the format check failed — meaning GitHub tokens were ending up in CI logs. In GitHub Actions, depending on how your action is configured, that container (and its token) might stick around for a while, giving an attacker a window to act. An alert developer caught the issue, used Claude to help research it, then did responsible disclosure — contacting the Composer maintainers and reaching out to Taylor Otwell, Vincent Pontier, and others in the ecosystem to disable their actions until the fix was in place. Update your Composer. GitHub rolled back the new token format but won’t keep it rolled back forever. Packagist MFA and Account Security Following up on the supply chain theme: Nils and Igor (Composer/Packagist maintainers) released a blog post on what they’re doing to improve supply chain security. The immediate ask for anyone publishing packages is to enable MFA on your Packagist account — it’s not required yet, but it will be. Eric went to check his own account, found MFA was already on, but noticed his username was still “diegodev” and he was using an old email. While updating it, he noted that Packagist didn’t require him to re-authenticate or confirm the change via the old email — a gap worth flagging if you have popular packages and someone ever gets into your session. PHP Tek 2026 Recap — The Good PHP Tek 2026 in Chicago is done, and despite everything (see below), the team is proud of how it went. Some highlights: Holly (CodeLorax) built a conference mobile app from scratch, released on both Google Play and the Apple App Store within 24 hours of the conference opening. The app let attendees build their own schedule, detected conflicting talk selections, sent push notifications when talks moved rooms, and even included a vendor lead-scanning feature where vendors could scan attendee QR codes to capture contacts. It was a genuine game-changer for the event. Eric and John named the conference elephant after Holly in appreciation — she also changed a trailer tire during setup, which sealed the deal. Clayton Kendall sponsored and produced the conference shirts and bags on an extremely tight timeline — shirts two weeks out, bags just one week before the event. Both were a hit. Attendees at the conference were getting questions about the rainbow PHP Architect shirt in particular. A job fair ran for the first time, with four companies represented. One hiring manager showed up even though they already had 1,400 applicants — because they knew that conference attendees are exactly the kind of motivated, self-improving developers they want. Attendees got to ask questions directly, including the real-world stuff like remote vs. office. Eric would love feedback on how to make it better next year. JS Tech debuted as a fourth track alongside the three PHP tracks, bringing in fresh faces from the JavaScript community. Eric came away energized by the cross-pollination — different people, different approaches to similar problems. Ben Ramsey and James Tickham (Rove) both wrote great blog posts about the conference. Ben’s will be featured in the magazine. Diana Pham also put together a video recap. Links in the show notes. PHP Tek 2026 Recap — The Incident On Monday during final setup, a hotel employee had a medical incident while walking through the main ballroom — leaving a trail that required hazmat-suited cleanup crews and forced the team to quarantine the ballroom, the hallway leading to it, and the adjacent bathroom. The person is okay and was back at the hotel by Friday, which was a relief. But in the moment, nobody knew what was happening or how long the room would be unavailable. The team had to rebuild the entire conference footprint overnight. The keynote moved, the JS Tech track went into the quiet room, vendors moved to the atrium, and the hotel staff — to their enormous credit — cleared their own furniture and accommodated every ask without complaint. Attendees were equally patient; once they understood the situation, there was no drama, just “tell us where to go.” The incident also took out the streaming setup for day one, compounding an already-difficult start. The solution that eventually worked — plugging the Ethernet into a hub before the streaming equipment — wasn’t tried until day three. Eric is mad at himself for thinking of it and not doing it sooner. PHP Tek 2027 — Save the Date (TBD) Planning for next year is already underway. The current target is April 2027 — away from the May timing that caused Eric to miss two of his kid’s band performances this year. Nothing is locked yet, but they’re working through venue and date options and hope to have an announcement soon. Links from the show: ourCVEs.com — Daily security audit on autopilot PHPScore — Technical debt monitoring for PHP Brent Roose — “How PHP Barely Avoided Disaster” (YouTube) Packagist — Enable MFA on your account PHP Architect Discord PHP Architect Merch Store PHP Architect YouTube Host: Eric Van Johnson X: @shocm Mastodon: @[email protected] Bluesky: @ericvanjohnson.bsky.social PHPArch.me: @eric John Congdon X: @johncongdon Mastodon: @[email protected] Bluesky: @johncongdon.bsky.social PHPArch.me: @john Streams: Youtube Channel Twitch Connect & Hire PHP Architect Website Twitter/X Mastodon Hire PHP Developers Looking to hire PHP developers? Email [email protected] – Joe and the team are available for consulting, infrastructure work, Ansible playbooks, and code review. Partner This podcast is made a little better thanks to our partners Displace   Infrastructure Management, Simplified Automate Kubernetes deployments across any cloud provider or bare metal with a single command. Deploy, manage, and scale your infrastructure with ease. https://displace.tech/     PHPScore Put Your Technical Debt on Autopay with PHPScore   CodeRabbit   Cut code review time & bugs in half instantly with CodeRabbit.   Music Provided by Epidemic Sound https://www.epidemicsound.com/ Join Us Live Next Week Youtube Channel Got feedback? Join us on Discord at discord.phparch.com The post The PHP Podcast 2026.05.28 appeared first on PHP Architect.