What was the issue?
The root cause was the introduction of a new format for GitHub tokens. This new format contains a hyphen and fails Composer's validation. The resulting error message prints the full token content to standard error. In the worst case, the token ends up in logs, CI output or console transcripts.
Nils from Packagist.com, who attendees of the Contao Conference in Potsdam may still remember fondly, has written a detailed article on the topic. It covers the root cause of the vulnerability and the recommended immediate steps.
Is your installation trakked?
Then you don't need to do anything. Andy released a new version of the Contao Manager yesterday, which already includes the current Composer version. If your Contao Manager is connected to trakked, we rolled out the update automatically for you during the night to Friday. This is exactly what we built trakked for: updates like this happen automatically, without you having to check every installation individually.
Is your installation not trakked or do you use Composer on the command line?
Is your installation not trakked or do you use Composer on the command line? Then act now.
-
Contao Manager: Log in to the Contao Manager once. On startup it will automatically perform the upgrade to the current Contao Manager version, which contains the new Composer version.
-
Command line: Run a self-update to Composer 2.9.8 or 2.2.28:
composer.phar self-updateAfter that, check the installed version with
composer --versionto make sure the update was applied.
Thanks to Nils and the Composer team for the swift response and the transparent handling of the vulnerability.
Add a comment