Packagist Urges Immediate Composer Update After GitHub Actions Token Leak

Packagist has issued an urgent warning for PHP projects to update Composer due to a vulnerability caused by a change in GitHub's token format, which led to some tokens being exposed in Continuous Integration (CI) logs. This vulnerability, addressed in Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28, was triggered by GitHub's new token format that included a hyphen, invalidating previous validation patterns and causing tokens to be printed in error logs if rejected. Although GitHub has rolled back the token format change, thereby reducing the immediate risk, updating Composer remains critical, particularly for projects using GitHub Actions where tokens might be exposed through common workflows. Despite the rollback, teams are advised to review logs for any leaked tokens, remove affected entries, and verify for any unexpected activities. Additionally, this incident underscores the importance of treating tokens as opaque strings and avoiding validation against hardcoded patterns, as platforms like GitHub continue to evolve token formats for security reasons.