From 807dd17d85e962303e47f62af418e229847d15a8 Mon Sep 17 00:00:00 2001
From: Tyson Andre <tysonandre775@hotmail.com>
Date: Tue, 4 Aug 2020 20:31:42 -0400
Subject: [PATCH] [skip ci] Document Phar metadata unserialization change

---
 NEWS | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 27f853b4fb2dd..a08ddca95b58d 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,11 @@ PHP                                                                        NEWS
   . Modernized oci_register_taf_callback() callable argument parsing
     implementation. (girgias)
 
+- Phar:
+  . Metadata associated with a phar will no longer be automatically unserialized,
+    to fix potential security vulnerabilities due to object instantiation, autoloading, etc.
+    RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata (tandre)
+
 23 Jul 2020, PHP 8.0.0alpha3
 
 - Core: