update to php 8.4.4, modernize code and improve documentation

[N6REJ]

PR Type

Enhancement, Documentation, Configuration changes, Dependencies

---

Description

• Updated to PHP 8.4.4 with corresponding changes in configuration, metadata, and dependencies.

• Refactored and modernized multiple classes (class.dev.checklang.php, class.dev.utils.php, class.dev.root.php) with strict typing, PHPDoc comments, and improved readability.

• Enhanced PHP configuration files (php.ini-production, php.ini-development) with modern directives, HTTPS links, and better clarity.

• Updated documentation files (README.md, readme-redist-bins.txt, license.txt) with improved content, formatting, and current information.

• Modernized OpenSSL configuration (openssl.cnf) with FIPS and CMP support.

• Adjusted snapshot metadata to reflect PHP 8.4.4 and updated dependencies.

---

Changes walkthrough 📝

	Relevant files
Enhancement	4 files class.dev.checklang.php Refactor and document language validation class.                  phpdev/class.dev.checklang.php Added detailed PHPDoc comments for class and methods. Refactored process method by extracting logic into smaller methods. Introduced type hints and strict typing for methods and properties. Improved readability and maintainability by modularizing validation logic. +146/-75 class.dev.utils.php Modernize utility class with strict typing and comments.  phpdev/class.dev.utils.php Added PHPDoc comments for all methods. Replaced conditional logic with match for better readability. Introduced strict typing for method parameters and return types. Updated string utility methods to use modern PHP functions. +81/-26  class.dev.root.php Enhance application root class with strict typing.              phpdev/class.dev.root.php Added PHPDoc comments for class and methods. Introduced strict typing for properties and methods. Improved error handling with RuntimeException. Simplified CLI argument processing logic. +71/-23  Root.php Add documentation and strict types to main entry script.  phpdev/Root.php Added PHPDoc comments for the script. Updated require_once paths to use __DIR__. Declared strict types for the script. +28/-2
Configuration changes	3 files php.ini-production Update PHP production configuration for modern PHP versions. tools/php/php.ini-production Updated URLs to use HTTPS. Adjusted default values for several configuration directives. Added new configuration options for modern PHP features. Improved comments for clarity and accuracy. +538/-718 php.ini-development Modernized and clarified PHP development configuration file. tools/php/php.ini-development Updated URLs from http:// to https:// for PHP documentation links. Adjusted default values and comments for various PHP configuration directives. Removed deprecated or unused configuration options. Enhanced descriptions and added new configuration options for better clarity and functionality. +535/-717 openssl.cnf Modernized OpenSSL configuration with FIPS and CMP support. tools/php/extras/ssl/openssl.cnf Added new configuration sections for OpenSSL initialization and provider settings. Introduced support for FIPS and updated acceptable message digests. Enhanced documentation and comments for better clarity and usability. Included new sections for CMP (Certificate Management Protocol) using Insta Demo CA. +111/-71
Dependencies	1 files snapshot.txt Update PHP snapshot metadata for version 8.4.4.                    tools/php/snapshot.txt Updated snapshot metadata to reflect PHP 8.4.4. Adjusted dependency information for updated libraries. Removed outdated modules and added new ones. +63/-141
Documentation	3 files license.txt Update PHP license file with current year.                              tools/php/license.txt Updated copyright year to 2024. Adjusted formatting for consistency. +14/-14  README.md Revise README with updated links and content.                        tools/php/README.md Updated URLs to use HTTPS. Removed outdated build status badge. Added link to internal documentation. Improved phrasing and formatting for clarity. +5/-5      readme-redist-bins.txt Updated redistribution binaries and licensing documentation. tools/php/readme-redist-bins.txt Updated and expanded the list of redistributed binaries and libraries. Added detailed licensing information for new components like PCRE2 and xxHash. Improved formatting and consistency in the documentation. Removed outdated or redundant entries from the redistribution list. +393/-154
Additional files	9 files php5ts.lib [link]    php8ts.lib [link]    install.txt +0/-1797 news.txt +829/-11651 pharcommand.phar [link]    php.ini +0/-226  php.ini.bak +0/-1974 php5embed.lib [link]    php8embed.lib [link]

---

Need help?

Type /help how to ... in the comments thread for any questions about Qodo Merge usage.

Check out the documentation for more information.

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 Security concerns Weak cryptographic algorithms: The OpenSSL configuration file (tools/php/openssl.cnf) includes SHA1 in the list of acceptable message digests. SHA1 is considered cryptographically weak and its use could lead to security vulnerabilities. The digests list should be updated to only include strong algorithms like SHA256 and above.

⚡ Recommended focus areas for review Error Handling The validateLanguageFile() method silently returns on parse_ini_file() failure without logging or error handling, which could mask configuration issues. $raw = parse_ini_file($this->bearsamppevBs->getLangsPath() . '/' . $lang . '.lng'); if ($raw === false) return; Exception Message The exception message for missing repository is not specific enough about what path was checked and what exactly was not found. if (!file_exists($this->bearsamppPath . '/core/Root.php')) { throw new RuntimeException("Bearsampp repository not found in " . $this->bearsamppPath); } Security Config The digests list in the TSA section includes SHA1 which is considered cryptographically weak and should be removed for security.

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Handle file parsing errors properly The validateLanguageFile() method silently returns on parse_ini_file() failure. This hides potential critical file parsing errors that should be handled explicitly. phpdev/class.dev.checklang.php [61-62] private function validateLanguageFile(string $lang, array $defaultFile, array $defaultRaw): void { $raw = parse_ini_file($this->bearsamppevBs->getLangsPath() . '/' . $lang . '.lng'); - if ($raw === false) return; + if ($raw === false) { + throw new RuntimeException("Failed to parse language file for '$lang'"); + } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: Silent failures in language file parsing could hide critical issues. Throwing an exception with detailed error information is crucial for proper error handling.	High
	Strengthen type checking in arguments The cleanArgv() method returns mixed with loose type checking. This can lead to inconsistent return types and potential runtime errors. Implement strict type validation and throw TypeErrors for invalid types. phpdev/class.dev.utils.php [29-33] -public static function cleanArgv(int $key, string $type = 'string'): mixed +public static function cleanArgv(int $key, string $type = 'string'): string|int|bool|array { if (!isset($_SERVER['argv'])) { - return false; + throw new RuntimeException('No command line arguments available'); } Apply this suggestion Suggestion importance[1-10]: 8 __ Why: Replacing mixed return type with union types and throwing exceptions for invalid states would prevent silent failures and improve type safety significantly.	Medium
Security	Restrict error reporting in production The error reporting configuration should be more restrictive in production. Consider removing E_NOTICE and E_WARNING to avoid exposing sensitive information and improve performance. tools/php/php.ini-production [483-487] ; Default Value: E_ALL ; Development Value: E_ALL -; Production Value: E_ALL & ~E_DEPRECATED +; Production Value: E_ALL & ~E_DEPRECATED & ~E_NOTICE & ~E_WARNING ; https://php.net/error-reporting -error_reporting = E_ALL & ~E_DEPRECATED +error_reporting = E_ALL & ~E_DEPRECATED & ~E_NOTICE & ~E_WARNING Apply this suggestion Suggestion importance[1-10]: 8 __ Why: Restricting error reporting in production is a critical security measure to prevent information disclosure. The suggestion correctly identifies the need to hide notices and warnings that could expose sensitive details.	Medium
	Set input variables limit For better security in production, set a reasonable limit for max_input_vars to prevent potential DOS attacks through excessive input variables. tools/php/php.ini-production [425-426] ; How many GET/POST/COOKIE input variables may be accepted -;max_input_vars = 1000 +max_input_vars = 1000 Apply this suggestion Suggestion importance[1-10]: 7 __ Why: Setting a limit on input variables is an important security measure to prevent DOS attacks. The suggestion provides a reasonable default value that balances security and functionality.	Medium
General	Improve type safety for action handlers The action property should be properly typed to avoid potential runtime errors. Since it can be null or an object of any class that extends from a base action class, create and use a base DevAction class that all action handlers should extend from. phpdev/class.dev.root.php [17-18] -/** @var ?object Active command handler instance */ -private ?object $action = null; +/** @var ?DevAction Active command handler instance */ +private ?DevAction $action = null; Apply this suggestion Suggestion importance[1-10]: 7 __ Why: Using a specific DevAction type instead of generic object type would improve type safety and prevent potential runtime errors when handling command actions.	Medium
More