The Laminas project is a collection of dozens of individual packages, and their maintenance status varies widely. Some packages receive regular updates. Others have been effectively dormant for years. If your application depends on twenty Laminas packages, the health of those twenty packages is not uniform, and your upgrade planning needs to reflect that reality.
This article covers how to assess each package’s actual maintenance status, how to distinguish between “stable and complete” and “abandoned,” and how to build an upgrade roadmap that prioritises the packages that pose the most risk to your application.
How to Check a Package’s Status
There is no single dashboard that shows the maintenance status of every Laminas package. You need to check multiple signals for each package:
Packagist Release History
Visit packagist.org/packages/laminas/<package-name> and look at the release timeline. Key indicators:
- Last release date. A package released within the past six months is actively maintained. A package whose last release was two or more years ago is either stable-and-complete or dormant.
- Release frequency. Packages with regular minor releases are healthy. Packages that only get releases for PHP compatibility fixes are in maintenance mode.
- PHP version constraints. Check the
require.phpfield in the latest release. If it caps at^8.2, the package may not work on PHP 8.5 without modification.
GitHub Repository Activity
Visit the GitHub repository (usually github.com/laminas/<package-name>). Check:
- Open issues count and age. A high count of old issues is a signal of reduced maintenance capacity.
- Open pull requests. Unmerged PRs, especially those that fix PHP compatibility issues, indicate the package is not getting maintainer attention.
- Last commit date. This is often more telling than the last release date. A package with recent commits but no release may have fixes waiting.
- CI status. If the latest CI run on the default branch fails, the package has a compatibility issue with current tools or PHP versions.
The Laminas Technical Steering Committee Announcements
The Laminas TSC publishes announcements about project governance, maintenance status changes, and end-of-life decisions. These appear on the Laminas blog and in GitHub discussions. Subscribe to the laminas/technical-steering-committee repository to stay informed.
Categorising Your Dependencies
Run composer show laminas/* to list every Laminas package in your project. For each one, assign it to one of four categories:
Actively Maintained
The package receives regular releases, has responsive maintainers, and supports the current PHP version. Examples typically include laminas-servicemanager, laminas-eventmanager, and laminas-stdlib.
Action: Keep updated. Run composer update laminas/<package> regularly.
Stable and Complete
The package is not receiving frequent updates because it does what it needs to do. The API is stable. No new features are planned. PHP compatibility fixes ship when needed. Examples include some of the utility packages and interface packages.
Action: Monitor for PHP compatibility releases. Do not worry about the lack of feature updates.
Maintenance Mode
The package receives minimal attention. PHP compatibility patches may or may not appear in a timely manner. The maintainer pool is thin.
Action: Evaluate replacements. Test the package against your target PHP version proactively. Have a contingency plan.
Effectively Abandoned
The package has not received a release or meaningful commit in over 18 months. CI is failing. Issues and PRs are unanswered.
Action: Replace the package or fork it. Do not depend on abandoned packages in production without a maintenance plan.
Building the Upgrade Roadmap
With your packages categorised, build the roadmap in priority order:
Priority 1: Replace Abandoned Packages
These are your highest-risk dependencies. For each abandoned package:
- Identify what your application uses from it. Often you use one or two features from a package with dozens of classes.
- Find a replacement. Check if a standalone package provides the same functionality (symfony equivalents, league packages, or dedicated community libraries).
- Create an adapter interface in your codebase so the swap is behind an abstraction.
- Replace, test, deploy.
Priority 2: Test Maintenance-Mode Packages Against Target PHP
For packages in maintenance mode, do not wait for a release. Test them yourself:
1 | # Install your dependencies, then test against the target PHP version |
If tests pass, you are fine for now. If they fail, check the package’s GitHub for open PRs that fix the issue. If a fix exists but is unmerged, apply it locally as a Composer patch:
1 | { |
This requires cweagans/composer-patches or equivalent.
Priority 3: Update Actively Maintained Packages
These are the lowest risk. Run composer update for these packages as part of your regular maintenance cycle. Review changelogs for breaking changes before major version bumps.
Priority 4: Monitor Stable-and-Complete Packages
These need no immediate action, but keep them on your radar. When PHP version requirements change, these packages need to release a compatibility update. If they do not, they may slide into the “maintenance mode” or “abandoned” categories.
The Dependency Tree Problem
Your application’s composer.json lists your direct dependencies, but each of those pulls in transitive dependencies. A healthy direct dependency can pull in an abandoned transitive dependency.
Run composer depends laminas/<suspect-package> to see what depends on a specific package. If the suspect package is only pulled in by one of your direct dependencies, replacing that direct dependency eliminates the transitive risk.
Run composer why-not php 8.5 to see which packages in your entire tree are blocking a PHP 8.5 upgrade. This is often the fastest way to find the problematic packages.
Realistic Timeline Expectations
For a typical Laminas MVC application with 15 to 25 direct Laminas dependencies:
- Dependency audit: 2 to 4 hours
- Categorisation and risk assessment: 1 to 2 hours
- Replacing 2 to 3 abandoned packages: 1 to 2 weeks each, depending on coupling
- PHP version testing: 1 to 2 days
- Patching maintenance-mode packages: 1 to 3 days per package
- Full upgrade validation: 1 week
This is not a single sprint. Budget it as a sustained effort over one to two quarters, blended with regular feature work.
Communicating Risk to Stakeholders
Use a simple risk matrix that non-technical stakeholders can read:
| Package | Category | PHP 8.5 Ready | Replacement Available | Risk Level |
|---|---|---|---|---|
| laminas-servicemanager | Active | Yes | N/A | Low |
| laminas-cache | Maintenance | Unknown | symfony/cache | Medium |
| laminas-xml | Abandoned | No | Custom adapter | High |
This format makes the conversation concrete. Instead of “we have technical debt,” you can say “we have three high-risk dependencies that need replacement within the next quarter.”
FAQ
Can I contribute patches to Laminas packages?
Yes. The project accepts pull requests. If you fix a PHP compatibility issue, submitting a PR benefits the entire community and reduces your maintenance burden if the fix is merged.
What if my application depends on laminas-mvc and it enters end-of-life?
That is a framework-level decision, not a package-level one. The Working with Legacy PHP Codebases article covers the broader strategic thinking for this scenario.
Should I pin exact package versions?
Pin in composer.lock (which happens automatically). Use ranges in composer.json for flexibility. Run composer update deliberately and review changes before deploying.
Next Steps
Start with composer show laminas/* and categorise each package. Build your risk matrix. Prioritise abandoned packages for replacement and maintenance-mode packages for PHP version testing.
The Zend to Laminas Migration Checklist covers the namespace transition that is often the first step, and the Modernising Zend Framework Applications guide covers the broader modernisation strategy that upgrade planning feeds into.