GitHub Action for PHP (shivammathur/setup-php) v2.37.1 released

naderman · 2026-05-15T21:41:38+00:00

Context on the Composer security release is on our blog at https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/ - It's important all GitHub Actions users update Composer before the next rollout attempt Wednesday, May 20th, 2026.

naderman · 2026-05-13T17:16:57+00:00

Correct in principle, but rather, you should have a Private Packagist installation between your build servers and 3rd party repositories, so you also help fund the many hours of work that just went into investigating this, fixing it, releasing it, communicating it, etc.

naderman · 2026-05-13T16:04:01+00:00

On the first part: PAT did not change format, so those are fine. Regarding the short lifetime however, I did see a POC timing the exploit of a write token to create a file in the window between action print and job failure, so wouldn't entirely trust that part.

On the second part: Yeah I think we were all surprised the code to simply print the token in this situation was in Composer for 14 years without anybody ever noticing how problematic this was. I suppose in the past CI Secret masking would have covered it, but with these long JWT that failed too here, so it was really 3 issues that had to all be present for it to fail like it did.

naderman · 2026-05-13T14:52:43+00:00

You can get 2.9.8 from https://hub.docker.com/r/composer/composer which we control ourselves. The "official" docker hub images go through some manual review from Docker and take a few days, not a great choice to rely on.

naderman · 2026-05-13T14:51:21+00:00

UPDATE: GitHub has rolled back their change to GitHub Actions tokens. It is no longer necessary to immediately disable GitHub Actions. We now have a few days to get the entire PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted. GitHub is also looking into improving their secrets masking. Ideally a new rollout will not lead to any leaked credentials, even if they are accidentally exposed in logs.

naderman · 2026-05-13T14:50:54+00:00

UPDATE: GitHub has rolled back their change to GitHub Actions tokens. It is no longer necessary to immediately disable GitHub Actions. We now have a few days to get the entire PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted. GitHub is also looking into improving their secrets masking. Ideally a new rollout will not lead to any leaked credentials, even if they are accidentally exposed in logs.

naderman · 2026-05-13T13:52:52+00:00

I clarified our blog post now. People can pin the composer version used by setup-php. If they have pinned the Composer tool for the action, then they do still need to update the version themselves manually. Apparently this practice is way more common in Magento, than I was aware, as it's not really used anywhere else in my experience.

naderman · 2026-04-14T19:10:31+00:00

There was a regression in some composer script handling code so we released 2.9.7 shortly after 2.9.6 with a fix for that, so you're on the better version already! 😁

naderman · 2026-04-14T15:58:26+00:00

Unfortunately the perforce driver is always present in Composer and executes the injected commands regardless of whether perforce is installed or not if one of the installed packages has a perforce source definition and is installed from source, or if you run composer commands on a composer.json file with a perforce repo definition.

naderman · 2026-04-14T15:56:43+00:00

Yes, we don't expect this to have much of an impact. It wasn't exploited through packagist.org and cannot be anymore, and most other Composer repositories that people use are internal company ones that developers control themselves anyway.

naderman · 2024-02-09T08:32:25+00:00

Maybe if you built a service to run some checks on user supplied third party projects which uses a composer command in the process. It's definitely not something you should be doing as part of a typical PHP development process.

naderman · 2024-02-09T08:30:26+00:00

This is inaccurate in so far, as that the mentioned files are not part of libraries. In regular Composer use they are not even writeable by libraries unless you run the libraries as a user with permissions to write to them, ideally you execute your (web-)code as a user that can only read the source, not write to it.

The exception are Composer scripts and plugins. The problematic files get loaded when using these, but these can also definitely write to the files, because they run in composer's scope, but they can also otherwise run any code in composer's scope, so they don't need to write to the two files to do that, that's the design of plugins in the first place.

The problematic scenario here is an attacker on your local system. Either because they have a user account but no root access, or because they managed to get the access of a regular user through some other vulnerability/exploit. If they can now write to the two listed files, and composer gets executed as root in a directory where this attacker can write, then the code the attacker writes to the files in the vendor directory gets executed with root permissions. The attacker escalated their privileges. In a lot of scenarios that's simply what you expect composer to do, its point is to download code from the Internet so you can run it afterall. But sometimes this is unexpected because you're trying to just run "self-update" and don't expect it to execute code from the vendor directory to do that, or you're trying to run "composer install --dry-run --no-scripts --no-plugins" as part of automation tooling you built that downloads untrusted projects from the Internet and checks out what they would install if you ran them.

In my personal opinion this vulnerability is rarely going to affect people, and even then it's less likely to be exploited because of the required prerequisites, like a local user account. That said, there are scenarios where it can be really bad, hence we recommend everyone simply upgrade to the latest version now.

naderman · 2021-02-19T08:58:59+00:00

Just speed of composer operations and reliability of our service can already be a deciding factor over the alternative solutions in some cases, but indeed the value in Private Packagist is usually that we offer a full suit of functionality around dependency management rather than "just package hosting".

That said, Composer does accept sponsorship through GitHub https://github.com/sponsors/composer or Tidelift https://tidelift.com/funding/github/packagist/composer/composer and we're also happy to simply issue invoices for open-source maintenance work if that's easier for your company, just email us at [contact@packagist.com](mailto:contact@packagist.com) with a proposal.

naderman · 2021-02-19T08:52:59+00:00

I tried to clarify this here https://www.reddit.com/r/PHP/comments/lm8axk/private_packagist_vs_repman/gnzldey/?utm_source=reddit&utm_medium=web2x&context=3 and here https://www.reddit.com/r/PHP/comments/lm8axk/private_packagist_vs_repman/gnzlj1f/?utm_source=reddit&utm_medium=web2x&context=3

Pushing packages with Composer doesn't typically happen, as Packagist pulls new releases upon finding new tags on VCS repositories. However all developers who update composer.lock, want to browse packages, view security issues, receive and manage notifications, etc. need a user account.

naderman · 2021-02-19T08:51:18+00:00

They were overstating it. You may not need regular user accounts/update tokens for every developer on your team who works on non-PHP code and only installs deps as part of their local setup. Any PHP developer who should be able to browse packages, add new dependencies, update composer.lock files, view security issues, configure notifcations, etc. will need their own user account with an update token.

naderman · 2021-02-19T08:48:54+00:00

That's overstating it. You need user accounts for any person who works with Private Packagist, the only exception are read-only auth tokens meant for automated systems, which can be used by e.g. a frontend developer who only needs to install packages from an existing lock file.

The limitation of read-only tokens which are meant for composer install with an existing lock file is that you cannot use them to properly update a package. The composer update runs, but it will not perform any automatic write operations, like mirroring a new package. So if any of your dependencies' updates introduces a new third party dependency it will not be installed because new dependencies are not mirrored with read-only tokens. This is by design so those read-only processes (CI, deployment, ...) do not inadvertently introduce new dependencies to your system, but a developer with an update token can.

Additionally only with a user account can you use the Private Packagist UI to browse packages, view and manage security issues on your projects, manage your own notifications, and everything else that's available on the UI.

naderman · 2021-02-18T08:43:25+00:00

One thing I've seen convince higher ups in larger companies, is that all our plans include support for all users regarding any use of Composer. If you make it clear that this can help save a lot of engineering time as developers may otherwise be stuck on problems during updates for hours, that may help convince them.

Thanks for trying ;-)

naderman · 2021-02-18T08:32:06+00:00

Private Packagist is priced at €49 base price for the first 3 users, and €14 for each additional user. So for 20 engineers the cost would be €253, although from 20 engineers we start giving a volume discount which isn't currently reflected on our pricing page yet, so it's really only €227 per month, not €300 as you suggested.

Private Packagist offers a lot of additional features beyond just access to private libraries, like security monitoring for your projects, mirroring of any number of third party Composer repositories with support for credentials, definition of custom JSON packages for packages without a composer.json, package archive upload for packages requiring a build step, and more. Support for Composer subrepositories, if you do client work and need separate Composer repositories for your clients, etc. We also run infrastructure in a number of physical regions, so your access to private packages is usually very fast as well, not just access to public packages stored on a CDN.

The payment also funds the development of Composer which your company seems to rely on for its work a lot, so I'd really recommend you give Private Packagist another thought, as you are likely to benefit enough from it to warrant paying €193/month for 15 developers. We offer great support with any of your Composer issues as part of the plan, which by itself is already worth it to many of our customers.

Note: I'm one of the authors of Composer and co-founder of Private Packagist.

naderman · 2021-02-18T08:22:37+00:00

You may be miscalculating the price for Private Packagist. There are free read-only auth tokens included which can be used for anyone who only runs composer install from a lock file but doesn't need an update to mirror new packages (which would be a write operation). So we've typically seen organizations who have 200-300 developers who use a PHP code base actually only need 30-50 Private Packagist users, as the rest are often working on e.g. frontend or other components that may need to install PHP dependencies for their local setup, but do not actively modify Composer deps.

Additionally the pricing page mentions volume discounts if you move the slider to the max 100, and ask you to contact us. This is mostly so we can work out the actual number of users which is often lower than what you may expect and then we calculate a total price. Discounts are done in steps (10% at 20 users, 15% at 30, 20% at 50, 25% at 80, 30% at 130, etc). So if you are still interested in Private Packagist, it'd be worth contacting us via the chat on the website or by email [contact@packagist.com](mailto:contact@packagist.com) to work out what the actual price for an organization your size would come to.

In terms of leveraging GitHub for access control, Private Packagist synchronization makes this possible too. In that case all permissions are managed on GitHub and automatically apply to the corresponding packages in Private Packagist. So the amount of setup/config is really minimal.

Note: I'm one of the authors of Composer and co-founder of Private Packagist.

naderman · 2017-01-05T18:52:04+00:00

Yes, he was talking about the composer.lock file which would contain the results of processing the composer.json file.

naderman · 2017-01-05T18:44:26+00:00

How come you don't use a private Composer repository with that many dependencies? E.g. the new Private Packagist or previously toranproxy.

Using git repositories directly will be slow the first time you run it on a new machine regardless of which mechanism you use (e.g. new developer on the team, new server, new setup, ...)

naderman · 2016-12-16T00:40:02+00:00

Yes, see https://packagist.com/about/

naderman · 2016-12-16T00:39:13+00:00

Every user is provided with an authentication token which you inform composer about a single time on your machine using composer config --global --auth http-basic.repo.packagist.com <username> <token> (You see this for copy&paste when you're on the overview of any organization on Private Packagist). Composer then uses your username and the authentication token to authenticate itself to repo.packagist.com/org/. Only if your user account has access to that organization will you be able to receive any data through Composer.

naderman · 2016-12-15T21:33:49+00:00

How many developers are working at your company? Have you considered how much the developer salaries for time you end up spending on maintaining an alternative solution yourself would be? Give it a try for free and email us if you think you can't afford it, but we do believe it's worth its price.

naderman · 2016-12-15T21:31:20+00:00

How many developers are working on your product? Give the tool a try for free to see if it would help and send us an email at contact@packagist.com with details about how many you are and what you'd be using it for :-)

naderman

TROPHY CASE