Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency octokit to v3 [security] #92

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency octokit to v3 [security] #92

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 15, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
octokit ^2.1.0 -> ^3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

Maintenance release for the reference for octokit/webhooks.js in app.js

Maintenance release for the reference for octokit/webhooks.js in octokit.js

Maintenance release for the reference for octokit/webhooks.js in Protobot

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Release Notes

octokit/octokit.js (octokit)

v3.1.2

Compare Source

Bug Fixes
  • updates app.js for the handling of an error being thrown by the verify method in webhooks.js (#​2576) (b59da80)

v3.1.1

Compare Source

Bug Fixes

v3.1.0

Compare Source

Features

v3.0.0

Compare Source

Features
BREAKING CHANGES
  • Drop support for NodeJS v14, v16
  • Remove previews support for the REST API
  • remove agent option from octokit.request()
  • Replace support for Node.js http(s) Agents with documentation on using fetch dispatchers instead (via @octokit/request)
  • Remove ability to pass custom request options, except for method, headers, body, signal (via @​octokit/request)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-octokit-vulnerability branch from 29e73f6 to 3fa89fb Compare November 1, 2024 09:30
@renovate renovate bot force-pushed the renovate/npm-octokit-vulnerability branch from 3fa89fb to 963d58d Compare November 1, 2024 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants