Packagist urges PHP projects to update Composer after a GitHub token format change exposed some GitHub Actions tokens in CI logs.

Socket

Packagist is urging PHP projects to immediately update Composer after a GitHub token format change caused GitHub Actions tokens to be exposed in CI logs. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 fix a vulnerability where Composer printed full GITHUB_TOKEN values to stderr when token validation failed. The issue was triggered by GitHub's rollout of a new token format using hyphens, which Composer's regex rejected. GitHub has since rolled back the format change, reducing immediate risk, but updating Composer remains urgent. Teams should update immediately, review recent Actions logs for failed Composer runs, delete affected log contents, and check for unexpected activity tied to any exposed credentials.

Packagist Urges Immediate Composer Update After GitHub Actio...