u/naderman

Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced a new format for these tokens including a - (hyphen). The new format is gradually being rolled out to repositories. The new format fails Composer’s validation, leading to an error message that exposes the full token contents to stderr. A CVE identifier will be assigned and added to this post once available.