The commit diff shows the token was removed from public runtime config (nuxt.options.runtimeConfig.public.github) and moved to private runtime config. The original vulnerable code merged the token into both public and private configs through the defu() calls. This made the credential accessible in client-side code. The main module configuration function in module.ts was responsible for this insecure merging, making it the vulnerable entry point.