[pkg-php-pear] Bug#955485: composer: Backport GitHub access_token fix before API removal

Kevin Locke kevin at kevinlocke.name
Wed Apr 1 13:35:32 BST 2020

Package: composer
Version: 1.8.4-1
Severity: normal
Tags: patch

Dear Maintainer,

Until version 1.10.0 (commit 4b6c25d4b), Composer used the access_token
query parameter to authenticate with GitHub.  GitHub has announced[1]
that access_token is deprecated with brownouts on September 30 and
October 28, followed by removal on November 13, 2020.  They are
currently sending monthly email notifications to access_token users.

Since this is within the LTS timeline for both Stretch and Buster, and
the patch to fix the issue (attached) is quite small, would you consider
applying the fix to versions in those releases?


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.5 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
>From 4b6c25d4bc33d49097320e29e6e5705b12e9d6ef Mon Sep 17 00:00:00 2001
Message-Id: <4b6c25d4bc33d49097320e29e6e5705b12e9d6ef.1585743806.git.kevin at kevinlocke.name>
From: Jordi Boggiano <j.boggiano at seld.be>
Date: Tue, 14 Jan 2020 15:35:52 +0100
Subject: [PATCH] Use Authorization header instead of deprecated access_token
 query param, fixes #8454

 src/Composer/Util/RemoteFilesystem.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php
index 6d343f7a1..4885b7530 100644
--- a/src/Composer/Util/RemoteFilesystem.php
+++ b/src/Composer/Util/RemoteFilesystem.php
@@ -278,7 +278,7 @@ protected function get($originUrl, $fileUrl, $additionalOptions = array(), $file
         if (isset($options['github-token'])) {
             // only add the access_token if it is actually a github URL (in case we were redirected to S3)
             if (preg_match('{^https?://([a-z0-9-]+\.)*github\.com/}', $fileUrl)) {
-                $fileUrl .= (false === strpos($fileUrl, '?') ? '?' : '&') . 'access_token='.$options['github-token'];
+                $options['http']['header'][] = 'Authorization: token '.$options['github-token'];

More information about the pkg-php-pear mailing list