Security advisory: Composer 2.9.8 and 2.2.28 (LTS) fix a vulnerability that lead Composer to leak GitHub Actions GITHUB_TOKENs and GitHub App installation tokens into job logs.
GitHub's new ghs_<id>_<JWT> token format fails Composer's validation regex; the rejected token is printed into the error message and secret masking does not reliably catch it.
Update now or disable affected Actions workflows.
https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

]]>https://board.circlewithadot.net/topic/3ea71b08-a4a5-4181-bd2b-0ecbb08c5944/security-advisory-composer-2.9.8-and-2.2.28-lts-fix-a-vulnerability-that-lead-composer-to-leak-github-actions-github_tokens-and-github-app-installation-tokens-into-job-logsRSS for NodeFri, 15 May 2026 04:00:19 GMTWed, 13 May 2026 10:43:32 GMT60