### Impact
In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174
The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).
### Patches
– This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases >= v2.0.0.
### References
_Are there any links users can visit to find out more?_
– See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [ghinstallation](https://github.com/bradleyfalzon/ghinstallation)Read More