Stop shipping var_dump() to production — enforce it with PHPStan

Published: 0 month ago (April 6, 2026 at 02:43 AM EDT)

1 min read

Source: Dev.to

Source: Dev.to

The problem

PHPStan is great — but enforcing custom rules like this is not trivial.

You either:

write a custom PHPStan rule (time‑consuming)
or use something limited like banned functions

What I wanted

I needed something that could:

ban specific functions (var_dump, dd)
restrict certain method calls
enforce architecture boundaries
be configurable without writing PHP code

The solution

I built a small PHPStan extension that lets you define forbidden patterns:

parameters:
  forbidden_node:
    nodes:
      - type: Expr_FuncCall
        functions: [var_dump, dd]

Now PHPStan reports:

Forbidden function var_dump() used in App\Service\UserService.php:42

Why this is useful

You can enforce rules like:

❌ no debug functions in production
❌ no direct DB calls in controllers
❌ no cross‑layer violations
❌ no unsafe patterns

Repo

👉

Related posts

Git bisect saved me from a week of debugging. Should've used it sooner.

Two weeks ago, my coworker merged a feature branch on Friday afternoon. By Monday morning, half our test suite was red. Nobody knew which commit broke things. T...

Top Causes of ANRs in Android and How to Eliminate Them (Complete Developer Guide)

Introduction Imagine a user opens your Android app, taps a button, and nothing happens. The screen freezes. After a few seconds, Android shows Application Not...

It's all the same, PT 2...

Background I was trying to create a consistent API across “social” sites and noticed that the same patterns keep re‑appearing in both PHP and JavaScript implem...

The Frontend Skills That Are Actually Dying (Not the Ones You Think)

markdown !Cover image for The Frontend Skills That Are Actually Dying Not the Ones You Thinkhttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,...