PHPackages fromholdio/phpstan-non-nullable-sink-rules - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Testing & Quality](/categories/testing) 4. / 5. fromholdio/phpstan-non-nullable-sink-rules ActivePhpstan-extension[Testing & Quality](/categories/testing) fromholdio/phpstan-non-nullable-sink-rules ========================================== PHPStan rules for values that are not proven safe at non-nullable PHP-owned sinks. 1.0.0(3w ago)06↑400%BSD-3-ClausePHPPHP ^8.1 Since May 18Pushed 3w agoCompare [ Source](https://github.com/fromholdio/phpstan-non-nullable-sink-rules)[ Packagist](https://packagist.org/packages/fromholdio/phpstan-non-nullable-sink-rules)[ Docs](https://github.com/fromholdio/phpstan-non-nullable-sink-rules)[ RSS](/packages/fromholdio-phpstan-non-nullable-sink-rules/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)Dependencies (3)Versions (2)Used By (0) PHPStan Non-Nullable Sink Rules =============================== [](#phpstan-non-nullable-sink-rules) PHPStan rules for values that are not proven safe at non-nullable or narrowly typed PHP-owned sinks. The guiding idea is intentionally narrow: ``` Do not treat mixed as bad everywhere. At known non-nullable/narrow PHP-owned sinks, mixed is not good enough. ``` This package is useful for dynamic PHP codebases where enabling strict mixed checks globally would produce too much noise, but where certain PHP-owned operations should still require a proven-safe value. Installation ------------ [](#installation) Install the package as a dev dependency: ``` composer require --dev fromholdio/phpstan-non-nullable-sink-rules ``` If your project uses `phpstan/extension-installer`, the extension is loaded automatically: ``` composer require --dev phpstan/extension-installer composer require --dev fromholdio/phpstan-non-nullable-sink-rules ``` Composer 2.2+ may ask whether `phpstan/extension-installer` is allowed to run as a plugin. Answer yes if you want automatic PHPStan extension registration. Without `phpstan/extension-installer`, include the extension manually in `phpstan.neon`: ``` includes: - vendor/fromholdio/phpstan-non-nullable-sink-rules/extension.neon ``` Do not use both automatic installation and a manual include for this package in the same project; PHPStan will report that the extension file has been included more than once. Local Path Usage ---------------- [](#local-path-usage) Before the package is published on Packagist, or when testing local changes in another project, add a Composer path repository: ``` { "repositories": [ { "type": "path", "url": "../phpstan-non-nullable-sink-rules", "options": { "symlink": true } } ], "require-dev": { "fromholdio/phpstan-non-nullable-sink-rules": "*" } } ``` Then run: ``` composer update fromholdio/phpstan-non-nullable-sink-rules vendor/bin/phpstan analyse ``` Rules ----- [](#rules) ### `UnsafeValueForNonNullableSinkRule` [](#unsafevaluefornonnullablesinkrule) Reports values used at known non-nullable or narrowly typed PHP-owned sinks when PHPStan cannot prove the value satisfies the sink requirement. The rule currently emits these identifiers: ``` fio.nonNullableSink.arrayKey fio.nonNullableSink.internalFunctionArgument ``` ### Array Key Sinks [](#array-key-sinks) Identifier: ``` fio.nonNullableSink.arrayKey ``` This sink family covers values used as array keys: ``` $items[$key] = 'value'; $value = $items[$key]; isset($items[$key]); array_key_exists($key, $items); ``` The required key type is `int|string`. The rule reports keys that are not proven to satisfy that requirement, including `mixed`, nullable values, `false`, `bool`, `float`, `array`, and `object`. Example: ``` function example(mixed $key, array $items): void { $items[$key] = 'value'; } ``` PHPStan reports: ``` Value used as an array key is not proven safe; expected int|string, mixed given. ``` ### Internal Function Argument Sinks [](#internal-function-argument-sinks) Identifier: ``` fio.nonNullableSink.internalFunctionArgument ``` This sink family covers calls to PHP built-in/internal functions where PHPStan knows the parameter contract and the argument is not proven compatible. Example: ``` function example(mixed $value, ?string $nullable): void { trim($value); strlen($nullable); } ``` PHPStan reports: ``` Argument #1 $string passed to internal function trim() is not proven safe; expected string, mixed given. Argument #1 $string passed to internal function strlen() is not proven safe; expected string, string|null given. ``` The rule does not treat arbitrary userland functions as sinks solely because they receive `mixed`. Scope Boundaries ---------------- [](#scope-boundaries) This package models dangerous use-sites, not value sources. It does not need special knowledge of where a value came from: ``` filter_input(...) get_option(...) $_GET json_decode(...) ``` If one of those values reaches a supported sink and PHPStan cannot prove it is safe, the rule reports the sink. The package intentionally does not include: - WordPress-aware source modelling. - Special handling for `filter_input()`. - Hook-aware analysis for `do_action()` or `apply_filters()`. - Project-specific severity or release policy. Those decisions belong in consuming projects or higher-level workflows. Development ----------- [](#development) Install dependencies: ``` composer install ``` Run tests: ``` composer test ``` Run PHPStan against the package: ``` composer analyse ``` Run Composer validation: ``` composer validate --strict ``` Requirements ------------ [](#requirements) - PHP `^8.1` - PHPStan `^2.1.39` License ------- [](#license) BSD-3-Clause. ### Health Score 39 — LowBetter than 84% of packages Maintenance95 Actively maintained with recent releases Popularity6 Limited adoption so far Community6 Small or concentrated contributor base Maturity42 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 23d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/40e135ad117686bee39707c1d9286cc5e915e219c26a10d13858ca44d14f1eb0?d=identicon)[dizzystuff](/maintainers/dizzystuff) --- Top Contributors [![dizzystuff](https://avatars.githubusercontent.com/u/576903?v=4)](https://github.com/dizzystuff "dizzystuff (4 commits)") --- Tags PHPStanstatic analysisphpstan-extensionphpstan-rulesnon-nullable ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/fromholdio-phpstan-non-nullable-sink-rules/health.svg) ``` [![Health](https://phpackages.com/badges/fromholdio-phpstan-non-nullable-sink-rules/health.svg)](https://phpackages.com/packages/fromholdio-phpstan-non-nullable-sink-rules) ``` ### Alternatives [larastan/larastan Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel 6.4k51.0M7.4k](/packages/larastan-larastan)[phpstan/phpstan-symfony Symfony Framework extensions and rules for PHPStan 78973.3M2.0k](/packages/phpstan-phpstan-symfony)[shipmonk/dead-code-detector Dead code detector to find unused PHP code via PHPStan extension. Can automatically remove dead PHP code. Supports libraries like Symfony, Doctrine, PHPUnit etc. Detects dead cycles. Can detect dead code that is tested. 4753.1M82](/packages/shipmonk-dead-code-detector)[phpstan/phpstan-doctrine Doctrine extensions for PHPStan 66970.7M1.3k](/packages/phpstan-phpstan-doctrine)[staabm/phpstan-dba 2922.5M2](/packages/staabm-phpstan-dba)[staabm/phpstan-todo-by 2002.0M76](/packages/staabm-phpstan-todo-by) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)