PHP Ecosystem Deep Dive: The Code Quality Landscape
A quick word about the approach
Hi! I'm Jean-François Lépine, and I've been interested in software quality for quite a few years now. I created PhpMetrics, then Ast-Metrics, and have helped many companies in industrializing their development processes.
I wanted to see the big picture of PHP code in the wild, so I went all in. I downloaded the entire PHP ecosystem—a whopping 236 GB of Git repositories containing a total of 2.3 billion lines of code.
The analysis script ran for three full days, processing every single file. I built it in Go for raw performance and precise CPU control - PHP analysis at this scale needs serious optimization.
TL;DR - Too Long? Didn’t Read? Here’s the Short Version!
PHP open-source is modern, modular, and maintainable. But beware of over-reliance on a few core packages and under-maintained projects.
- 36% of files have fewer than 100 lines of code
- Heavy use of interfaces makes the ecosystem highly modular.
- 76.5% of files have low cyclomatic complexity (0-10).
- However, 23.5% of the code is complex, posing maintainability challenge
- Just 136 packages (0.05%) account for 50% of all downloads.
- These core libraries are well-maintained, but they create strong dependency risks.
- Some highly used packages receive very little recognition (few GitHub stars).
- Critical dependencies may be maintained by very small teams.
- 70% of packages show minimal activity.
- 23% appear abandoned, making dependency audits essential.
X-Ray of the PHP OpenSource Ecosystem
Open Source vs Enterprise Context:
It's important to note that these metrics come from open-source projects, which differ significantly from typical enterprise codebases. Open-source libraries often prioritize extensibility and abstraction (explaining the high interface-to-class ratio), while enterprise projects may focus more on business logic implementation and specific use cases. When benchmarking your own codebase, consider whether your context aligns more with library design patterns or application-specific implementations.
I analyzed 11.1 million PHP files, totaling over 707.6 million lines of PHP code—part of a staggering 2.3 billion lines of code across all languages in the Packagist ecosystem. These metrics offer a real-world snapshot of how PHP is structured in the wild, beyond theoretical best practices."
File Size Distribution
An overwhelming 36% of files contain fewer than 100 logical lines of code, with a median of just 4.0 lines.
This reveals a strong ecosystem-wide preference for small, focused implementations - much smaller than most style guides would suggest as maximums. It also reflects the massive use of interfaces in the ecosystem, with 3.7M interfaces compared to 7.4M classes - many of these interfaces containing no logical code, only method signatures.
Cyclomatic Complexity
76.5% of files maintain low complexity (0-10), while 23.5% venture into higher complexity territory.
Even with a focus on small files, nearly a quarter of the codebase still shows significant complexity – highlighting areas where maintainability might be challenging.
Analyzed Packages
411.6K
PHP packages from PHP ecosystem
Files
11.1M
Detected PHP files
Methods
53.4M
Analyzed PHP methods
Lines of Code
707.6M
Logical lines of code distribution
Cyclomatic complexity distribution
Download Concentration: The Foundation of PHP
One of the most revealing aspects of the PHP ecosystem is the extreme concentration of downloads.
The data shows that just 136 packages (0.05 % of all packages) account for more than half of all monthly downloads in the entire ecosystem.
This concentration reflects several important dynamics in the PHP world:
Consolidated Foundation
The PHP ecosystem has matured to rely on a relatively small set of core libraries that provide essential functionality. This stable foundation means developers don't need to constantly evaluate competing implementations for basic needs.
Dependency Chain Effects
Many top packages are fundamental building blocks that get pulled in as transitive dependencies across thousands of projects. This cascading effect magnifies download counts for these foundational packages.
🎉 The Good News
The encouraging finding is that these high-impact packages are overwhelmingly well-maintained and healthy:
- ✓ Nearly all top packages have active contributor communities
- ✓ Most have robust test suites and CI/CD pipelines in place
- ✓ Many are backed by companies or foundations ensuring long-term stability
Download Dominance
Packages that collectively represent 50% or more of monthly downloads
Number of dominant packages
136
% of total downloads
0.05
Monthly total downloads
2808.6M
The Invisible Infrastructure: High-Impact, Low-Recognition Packages
While analyzing the relationship between GitHub stars and download counts, we discovered a fascinating subset of PHP packages: those with massive download numbers but surprisingly few stars. These packages form what might be called the "invisible infrastructure" of PHP—critically important components that operate silently beneath the surface of countless applications.
This "recognition gap" has several important implications:
- ⚠ Packages with high impact but low visibility might struggle to attract contributors
- ⚠ Critical dependencies may be maintained by small teams despite their outsized ecosystem importance
- ✓ However, many represent opportunities for developers looking to make meaningful contributions to the PHP ecosystem
Popular packages
In contrast, these packages are both very popular and widely used. They are the cornerstone of PHP.
bubble size proportional to GitHub forks
Packagist Ecosystem Health Status
Analysis of PHP packages reveals significant health concerns in the Packagist ecosystem: 70% show minimal activity with few downloads and GitHub interactions, while 23% appear abandoned with no recent updates. With an average of just 60 stars per package (heavily skewed by popular outliers), these metrics highlight the typical "long tail" distribution in open source ecosystems. This data emphasizes the importance of carefully evaluating dependency health through metrics like bus factor, update frequency, and community engagement when integrating packages into production projects.
Empty Packages
94.9K
Abandonned packages
Shadow packages
288.5K
Packages with few downloads, few GitHub stars or forks
Average Popularity
60
Top required packages for development
| Package | Number of packages using it |
|---|---|
| phpunit/phpunit | 201.5K |
| orchestra/testbench | 33.9K |
| squizlabs/php_codesniffer | 33.8K |
| phpstan/phpstan | 32.3K |
| mockery/mockery | 31.8K |
| friendsofphp/php-cs-fixer | 24.4K |
| pestphp/pest | 11.5K |
| vimeo/psalm | 10.5K |
| phpstan/phpstan-phpunit | 9.7K |
| laravel/pint | 9.6K |
| phpstan/extension-installer | 9.0K |
| symfony/var-dumper | 8.9K |
| nunomaduro/collision | 8.4K |
| roave/security-advisories | 8.2K |
| phpmd/phpmd | 6.7K |
| symfony/phpunit-bridge | 6.5K |
| phpstan/phpstan-deprecation-rules | 6.4K |
| pestphp/pest-plugin-laravel | 6.2K |
| satooshi/php-coveralls | 6.0K |
| php-coveralls/php-coveralls | 5.8K |
Top required packages for production
| Package | Number of packages using it |
|---|---|
| illuminate/support | 46.4K |
| guzzlehttp/guzzle | 39.7K |
| laravel/framework | 18.9K |
| illuminate/contracts | 16.2K |
| yiisoft/yii2 | 16.2K |
| symfony/console | 13.0K |
| psr/log | 11.7K |
| symfony/framework-bundle | 11.2K |
| illuminate/database | 10.2K |
| composer/installers | 9.0K |
| symfony/yaml | 8.8K |
| psr/http-message | 8.6K |
| monolog/monolog | 8.0K |
| symfony/dependency-injection | 7.7K |
| symfony/http-kernel | 7.6K |
| symfony/http-foundation | 7.1K |
| symfony/config | 7.1K |
| twig/twig | 6.6K |
| spatie/laravel-package-tools | 6.5K |
| doctrine/orm | 6.4K |
But What About Quality?
Despite PHP's occasionally maligned reputation, the data tells a different story. PHP packages show surprisingly clean code that's easy to maintain and understand. Functions are refreshingly short, different parts of the code play well together, and packages stay reasonably sized. Turns out PHP developers aren't writing spaghetti code after all - they're crafting well-structured dishes that would make even the pickiest code chefs nod in approval.
Complexity Distribution
Average Cyclomatic
8.8
Median Cyclomatic
4.0
Code Quality
Maintainability Index
108
Lines per Method
3.0
Packages with Most Lines of Code
If you are curious about the packages with the most lines of code, you can find the top 100 packages below. Note that the biggest packages concerns geographical data, and embed a lot of data in their code.
| Package | Lines of Code | Files |
|---|---|---|
| xnrcms/alipaysdk | 2.8M | 11.4K |
| zerossb/laravel-world | 2.2M | 48.0 |
| tencentcloud/tencentcloud-sdk-php-intl-en | 1.9M | 19.2K |
| vccmas/tencentcloud-sdk-php-intl-en | 1.6M | 15.5K |
| zohocrm/php-sdk-6.0 | 1.5M | 15.7K |
| udemy/googleads-php-lib | 1.5M | 1.1K |
| volcengine/volcengine-php-sdk | 1.3M | 3.1K |
| vavajke/bxcore | 1.3M | 4.4K |
| sos-solution/other-framework | 1.2M | 8.7K |
| tombeachell/forza-magento | 1.2M | 4.2K |
What Else Is Hiding in PHP Repositories?
- PHP dominates (707M+ lines of code), but it’s far from alone.
- JavaScript is the most common companion (216M+ lines), proving that front-end and back-end integration is key.
- JSON & YAML are everywhere (200M+ lines combined), highlighting the rise of configuration-driven architectures.
- CSS & HTML (167M+ lines total) showcase the full-stack nature of many PHP applications.
- SQL, XML, and Markdown reflect the importance of structured data and documentation in modern PHP projects.
- TypeScript is growing (2.7M lines) – are PHP projects becoming more structured in the front end?
- C, Go, and Rust appear in small amounts – a sign of performance-critical extensions?
- Even Lua, Perl, and Scheme pop up – legacy integrations or scripting tools within PHP projects?
👉 Modern PHP is more than just PHP. It’s an ecosystem that blends with various technologies, making cross-language skills increasingly valuable for PHP developers.
What's Next?
Now that most of the process is scripted, I still have some code cleanup to tackle, but I think it would be valuable to run this analysis at least twice a year to keep an up-to-date view of the PHP ecosystem. So far, I've focused exclusively on Packagist, but it's not the only package manager out there - adding new code sources would provide a more comprehensive picture.
I'm also considering implementing more advanced code metrics to deepen the analysis. The current metrics give us a good foundation, but there's always more we could learn about code quality and ecosystem health.
If you have ideas for additional metrics or features that would enhance this dashboard, please reach out - your insights could help shape the future direction of this project!
© Jean-François Lépine, 2013 - 2025