Mastodawn

🚨 Security advisory: Composer 2.9.8 and 2.2.28 (LTS) fix a vulnerability that lead Composer to leak GitHub Actions GITHUB_TOKENs and GitHub App installation tokens into job logs.
GitHub's new ghs_<id>_<JWT> token format fails Composer's validation regex; the rejected token is printed into the error message and secret masking does not reliably catch it.
Update now or disable affected Actions workflows.
https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages

Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced a

Private Packagist

Show thread

packagist May 13

UPDATE: GitHub has rolled back their change to GitHub Actions tokens. It is no longer necessary to immediately disable GitHub Actions. We now have a few days to get the entire PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted. GitHub is also looking into improving their secrets masking. Ideally a new rollout will not lead to any leaked credentials, even if they are accidentally exposed in logs. #php #composerphp #phpc

Show thread

Bit Regurgitator May 13

@packagist

Show thread

github.com/ghostwriter May 13

@packagist, when you get a chance, could you please tag a 2.10.0-RC2 release to fix the vulnerability in 2.10.0-RC1.

Thank you.