diff --git a/NEWS b/NEWS
index 27f853b4fb2dd..a08ddca95b58d 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,11 @@ PHP                                                                        NEWS
   . Modernized oci_register_taf_callback() callable argument parsing
     implementation. (girgias)
 
+- Phar:
+  . Metadata associated with a phar will no longer be automatically unserialized,
+    to fix potential security vulnerabilities due to object instantiation, autoloading, etc.
+    RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata (tandre)
+
 23 Jul 2020, PHP 8.0.0alpha3
 
 - Core: