diff --git a/src/Composer/IO/BaseIO.php b/src/Composer/IO/BaseIO.php
index 32a9171f3..44bd73062 100644
--- a/src/Composer/IO/BaseIO.php
+++ b/src/Composer/IO/BaseIO.php
@@ -124,7 +124,9 @@ abstract class BaseIO implements IOInterface
}
foreach ($githubOauth as $domain => $token) {
- if (!preg_match('{^[.a-z0-9]+$}', $token)) {
+ // allowed chars for GH tokens are from https://github.blog/changelog/2021-03-04-authentication-token-format-updates/
+ // plus dots which were at some point used for GH app integration tokens
+ if (!preg_match('{^[.A-Za-z0-9_]+$}', $token)) {
throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"');
}
$this->checkAndSetAuthentication($domain, $token, 'x-oauth-basic');
diff --git a/src/Composer/Repository/VcsRepository.php b/src/Composer/Repository/VcsRepository.php
index 148f587d4..80d24f7a1 100644
--- a/src/Composer/Repository/VcsRepository.php
+++ b/src/Composer/Repository/VcsRepository.php
@@ -247,7 +247,7 @@ class VcsRepository extends ArrayRepository implements ConfigurableRepositoryInt
continue;
}
- $tagPackageName = isset($data['name']) ? $data['name'] : $this->packageName;
+ $tagPackageName = $this->packageName ?: (isset($data['name']) ? $data['name'] : '');
if ($existingPackage = $this->findPackage($tagPackageName, $data['version_normalized'])) {
if ($isVeryVerbose) {
$this->io->writeError('Skipped tag '.$tag.', it conflicts with an another tag ('.$existingPackage->getPrettyVersion().') as both resolve to '.$data['version_normalized'].' internally');
@@ -386,6 +386,8 @@ class VcsRepository extends ArrayRepository implements ConfigurableRepositoryInt
protected function preProcess(VcsDriverInterface $driver, array $data, $identifier)
{
// keep the name of the main identifier for all packages
+ // this ensures that a package can be renamed in one place and that all old tags
+ // will still be installable using that new name without requiring re-tagging
$dataPackageName = isset($data['name']) ? $data['name'] : null;
$data['name'] = $this->packageName ?: $dataPackageName;
diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php
index 47ea0b359..88dd5ae84 100644
--- a/src/Composer/Util/ProcessExecutor.php
+++ b/src/Composer/Util/ProcessExecutor.php
@@ -89,7 +89,8 @@ class ProcessExecutor
{
if ($this->io && $this->io->isDebug()) {
$safeCommand = preg_replace_callback('{://(?P[^:/\s]+):(?P[^@\s/]+)@}i', function ($m) {
- if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) {
+ // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that
+ if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) {
return '://***:***@';
}
diff --git a/src/Composer/Util/Url.php b/src/Composer/Util/Url.php
index bbe6c67a7..18859fb23 100644
--- a/src/Composer/Util/Url.php
+++ b/src/Composer/Util/Url.php
@@ -110,7 +110,8 @@ class Url
$url = preg_replace('{([&?]access_token=)[^&]+}', '$1***', $url);
$url = preg_replace_callback('{(?P://|^)(?P[^:/\s@]+):(?P[^@\s/]+)@}i', function ($m) {
- if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) {
+ // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that
+ if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) {
return $m['prefix'].'***:***@';
}