On May 13, 2026, the PHP community was hit with an urgent security alert. A critical flaw in Composer, the standard dependency manager for PHP, has been found to leak sensitive GitHub Actions authentication tokens directly into publicly accessible build logs.
The vulnerability stems from a simple character validation error that turned a routine error message into a major security hole. For any team running automated PHP builds on GitHub, your project’s credentials may have been visible to anyone with access to your CI history.
The Cause: A “Hyphen” in the Wrong Place
The crisis began in late April 2026 when GitHub rolled out a new format for its GitHub App installation tokens. This new format included a hyphen (-)—a character that Composer’s internal validation logic was never designed to accept.
How the Leak Happens:
- Rejection: When Composer encountered the new hyphenated token, its validation regex failed.
- The Error: Instead of failing silently, Composer threw an
UnexpectedValueException. - The Exposure: This exception printed the entire, unredacted token directly into
stderr(standard error), which is then captured and displayed in GitHub Actions logs.
Because tools like shivammathur/setup-php automatically register these tokens in Composer’s settings, the leak occurred without any manual configuration by the user.
Required Action: The Three Patched Versions
GitHub has temporarily rolled back the new token format to give developers a window to secure their systems. You must update Composer before GitHub attempts the rollout again in the coming weeks.
| Composer Branch | Secure Version | Recommendation |
| Main (V2) | 2.9.8 | Recommended for all users |
| LTS (V2.2) | 2.2.28 | Use for stable long-term environments |
| Legacy (V1) | 1.10.28 | Only for systems that cannot move to V2 |
How to update:
Run the following command in your terminal or CI environment:
composer self-update
Audit and Remediation Checklist
Updating Composer stops future leaks, but it doesn’t fix tokens that have already been exposed. Follow these steps immediately:
- Scan Logs: Search your recent GitHub Actions history for failed Composer runs. Look for the error message “UnexpectedValueException.”
- Delete Logs: If you find a log containing a token, delete the run or use GitHub’s log-redaction tools to scrub the entry.
- Rotate Credentials:
- Hosted Runners: Tokens usually expire in 6 hours, but should still be treated as compromised.
- Self-Hosted Runners: These tokens can stay valid for up to 24 hours. If you find a leak, rotate your GitHub Apps or Personal Access Tokens immediately.
Conclusion: Lessons in Opaque Data
This incident serves as a stark reminder for DevOps teams: never assume the format of a security token.
The fix implemented by Packagist removes the rejected token from error messages entirely and relaxes validation logic to treat tokens as “opaque strings.” By treating credentials as black-box data that could contain any character, tools become more resilient to the platforms they serve. Secure your development pipelines today by updating to the latest patched version.
