# PSA: Update Composer to the latest version — GitHub Actions token disclosure (CVE-2026-45793)

**URL:** https://discourse.roots.io/t/psa-update-composer-to-the-latest-version-github-actions-token-disclosure-cve-2026-45793/30345
**Category:** bedrock
**Tags:** security, composer
**Created:** 2026-05-14T14:47:16Z
**Posts:** 1

## Post 1 by @ben — 2026-05-14T14:47:17Z

A Composer vulnerability (CVE-2026-45793) can leak the full contents of `GITHUB_TOKEN` or GitHub App installation tokens into your GitHub Actions logs. It’s triggered by GitHub’s new installation token format (which contains a `-`) failing Composer’s validation regex — the rejected token then gets interpolated verbatim into the error message written to stderr.

If you run Composer in GitHub Actions (CI for Bedrock, Sage, plugins, etc.), update to one of:

- **Composer 2.9.8** (mainline)
- **Composer 2.2.28** (2.2 LTS)
- **Composer 1.10.28** (legacy — upgrade to 2.x if you can)

**If your workflow uses `shivammathur/setup-php` referenced by a moving tag (e.g. `@v2`), you’re already covered** — the action was updated to install a fixed Composer version. You’re only still exposed if you’ve pinned `setup-php` to a specific commit SHA from before the fix, or pinned the `composer` tool itself to a vulnerable version via the action’s `tools:` input.

GitHub temporarily rolled back the new token format, but plans to resume the rollout on **Monday, May 18, 2026 (after 2 PM UTC)** — so get patched before then. It’s also worth reviewing recent Actions logs for failed Composer runs that may have already printed a token, and deleting those logs if so.

More detail:

- Packagist advisory: [Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages](https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/)
- Socket writeup: [https://socket.dev/blog/packagist-urges-immediate-composer-update](https://socket.dev/blog/packagist-urges-immediate-composer-update)