Update dependency probot to v14 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
probot (source)	^6.0.0 → ^14.0.0

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

• v12 - v12.0.4
• v11 - v11.1.2
• v10 -v10.9.2
• v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

• v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

• v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

• v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

---

Release Notes

probot/probot (probot)

v14.3.2

Compare Source

Bug Fixes

• deps: update dependency yaml to v2.8.3 [security] (79b556e)

v14.3.1

Compare Source

Bug Fixes

• cli: turn off strict args parsing to re-allow using receive command with args (#​2304) (67a30d1)

v14.3.0

Compare Source

Bug Fixes

• receive command failing when LOG_LEVEL is set (#​2296) (556ec16)

Features

• replace dotenv with node native parseEnv, when using deno runtime use deno >2.7.0 (#​2265) (c94ac6e)

v14.2.4

Compare Source

Bug Fixes

• integrate static files (#​2272) (39dcfcd)

v14.2.3

Compare Source

Bug Fixes

• deps: update dependency smee-client to v5 (#​2271) (218f292)

v14.2.2

Compare Source

Bug Fixes

• deps: update octokit monorepo (major) (#​2266) (6370407)

v14.2.1

Compare Source

Bug Fixes

• stop server in run if we send SIGINT (#​2251) (02862ce)

v14.2.0

Compare Source

Features

• replace js-yaml with yaml (#​2255) (c9eda35)

v14.1.0

Compare Source

Features

• remove sourcemaps, ensure only erasableSyntaxOnly is enforced (#​2253) (94b8929)

v14.0.6

Compare Source

Bug Fixes

• deps: update dependency pino to v10 (#​2246) (f1ef4d5)

v14.0.5

Compare Source

Bug Fixes

• deps: update dependency pino-http to v11 (#​2249) (594edd4)

v14.0.4

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#​2245) (8018566)

v14.0.3

Compare Source

Bug Fixes

• correct some TypeScript errors (#​2248) (6717c1f)

v14.0.2

Compare Source

Bug Fixes

• deps: update @​probot/octokit-plugin-config (6f2d021)

v14.0.1

Compare Source

Bug Fixes

• add explicit undefined to optional types, and update webhooks types (#​1979) (05179ff)

v14.0.0

Compare Source

• feat!: v14 (#​2152) (97c4057)

BREAKING CHANGES

• Probot is now an ESM only library
• drop Node > 20.17 and Node 21 support
• Switch to GitHub's OpenAPI specification for Webhooks (from @octokit/webhooks v13)
• Remove legacy REST enpoint method access. Users will now have to use the octokit.rest.* methods
• Remove express server from within Probot.
• All properties marked as private in Typescript, including Probot#state, are now private class fields.
• createNodeMiddleware() is now an async function
• @sentry/node needs to be installed separately if needed
• ioredis needs to be installed separately if needed
• The built-in server now listens on localhost by default instead of 0.0.0.0.

Probot v14 Migration Guide

ESM Only Package

Probot is now exclusively an ESM package. Either migrate to ESM (recommended), or use `require(esm).

Migrating to ESM:

1. Update package.json:

{
  "type": "module"
}

2. Replace all CommonJS require() statements with ESM import syntax
3. Update your TypeScript configuration:

{
  "compilerOptions": {
    "module": "node16",
    "moduleResolution": "node16"
  }
}

For require(esm):

• For TypeScript 5.7-5.8: Use "module": "nodenext" and "moduleResolution": "nodenext"
• For TypeScript 5.9+: Use "module": "node20" and "moduleResolution": "node20"

Node.js Version Requirements

• Minimum supported version: Node.js 20.18+ and 22+
• Node.js 21 support has been dropped

Webhook Type Definitions

Replace webhook type imports:

// Before
import { WebhookEvent } from "@​octokit/webhooks-types";

// After
import { WebhookEvent } from "@​octokit/openapi-webhooks-types-migration";

REST API Access Pattern

Legacy endpoint methods have been removed:

app.on("issues.opened", async (context) => {
  // Before
  // const issue = await context.octokit.issues.get(context.issue());

  // After
  const issue = await context.octokit.rest.issues.get(context.issue());
});

Express Server Removal

The built-in Express server has been removed. To use Express:

1. Install Express:

npm install express

2. Update your Probot setup:

import Express from "express";
import { createNodeMiddleware, createProbot } from "probot";

const express = Express();

const app = (probot) => {
  probot.on("push", async () => {
    probot.log.info("Push event received");
  });
};

const middleware = await createNodeMiddleware(app, {
  webhooksPath: "/api/github/webhooks",
  probot: createProbot({
    env: {
      APP_ID,
      PRIVATE_KEY,
      WEBHOOK_SECRET,
    },
  }),
});

express.use(middleware);
express.use(Express.json());
express.get("/custom-route", (req, res) => {
  res.json({ status: "ok" });
});

express.listen(3000, () => {
  console.log(`Server is running at http://localhost:3000`);
});

HTTP Server no longer listens on 0.0.0.0 by default

The built-in HTTP server will now listen on localhost by default, instead of listening on all available interfaces.
If you wish to change this behaviour, you can use the HOST environment variable, or the --host variable for the probot run command.

env HOST=0.0.0.0 <start script>
probot run --host=0.0.0.0 app.js

Asynchronous Middleware Initialization

createNodeMiddleware() is now asynchronous:

import { createNodeMiddleware } from "probot";
import app from "../app.js";

// Before
// const middleware = createNodeMiddleware(app);

// After
const middleware = await createNodeMiddleware(app);

v13.4.7

Compare Source

Bug Fixes

• update @octokit/webhooks, remove internal rebindLog() function (#​2220) (c4c67c3), closes #​2062

v13.4.6

Compare Source

Bug Fixes

• update @​octokit/auth-app and @​octokit/core to fix logger binding issues (058878b)

v13.4.5

Compare Source

Bug Fixes

• deps: update dependency express to v5 (#​2090) (f6d4c3e)

v13.4.4

Compare Source

Bug Fixes

• deps: update Octokit dependencies that have ReDos vulnerability (816f2f7)

v13.4.3

Compare Source

Bug Fixes

• deps: update dependency @​probot/pino to v3 (#​2140) (7c3a99d)

v13.4.2

Compare Source

Bug Fixes

• memoryleak of octokit hook (#​2129) (2b48a8e)

v13.4.1

Compare Source

Bug Fixes

• ensure that the logger is always bound (#​2119) (cc85a24), closes #​2116

v13.4.0

Compare Source

Features

• allow custom logger for Octokit instances (#​2100) (19954c8)

v13.3.10

Compare Source

Bug Fixes

• deps: use fork of lru-cache to fix type issues (#​2104) (c87926b)

v13.3.9

Compare Source

Bug Fixes

• deps: bump @probot/pino to v2.5.0 (f26cf46), closes #​2102

v13.3.8

Compare Source

Bug Fixes

• deps: bump express to v4.21.0 (#​2085) (4c5310a)

v13.3.7

Compare Source

Bug Fixes

• types: avoid TS2590 errors in Context (#​2073) (23f6eab), closes #​1968

v13.3.6

Compare Source

Bug Fixes

• deps): Revert "fix(deps: update dependency lru-cache to v11" (#​2056) (60ff5b6), closes #​2049

v13.3.5

Compare Source

Bug Fixes

• remove eventsource dependency (#​2052) (caee841)

v13.3.4

Compare Source

Bug Fixes

• ci: Use organization-wide PROBOTBOT_NPM_TOKEN (#​2054) (cc86a53)

v13.3.0

Compare Source

Features

• set x-github-delivery header to event.id for all requests sent from context.octokit in event handlers (#​2027) (12944d5)

v13.2.2

Compare Source

Bug Fixes

• deps: update dependencies pino to v9, pino-http to v10 (#​2007) (ef7b9df)

v13.2.1

Compare Source

Bug Fixes

• probot: passes logger to webhooks (#​2011) (93007b6)

v13.2.0

Compare Source

Features

• security: Configure provenance (#​1997) (3f20320)

v13.1.2

Compare Source

Bug Fixes

• deps: update dependency express to v4.19.2 [security] (b1d3ac3)

v13.1.1

Compare Source

Bug Fixes

• deps: move bottleneck to dependencies (#​1992) (52de532)

v13.1.0

Compare Source

Features

• run: allow passing Octokit and log (#​1984) (d195264)

v13.0.2

Compare Source

Bug Fixes

• deps: update dependency commander to v12 (737835f)

v13.0.1

Compare Source

Bug Fixes

• deps: update dependency pino-http to v9 (#​1953) (5d95b73)

v13.0.0

Compare Source

Features

• v13 (#​1874) (948a1b7), closes #​1643
• Upgrade Octokit libraries to their latest major version

BREAKING CHANGES

• Drop support for NodeJS < 18
• replace node-fetch with the Fetch API
• default webhookPath is now /api/github/webhooks
• probot receive now only supports payloads in JSON format, previously also (unintionally) allowed JS.
• Probot now requires that payloads be passed as string to the .verify(), .verifyAndReceive() methods. Passing objects is no longer supported
• The middleware no longer accepts parsed payloads. You will have to pass it as a string

Note on Vercel deployments:

Set NODEJS_HELPERS environment variable to 0 in order to prevent Vercel from parsing the response body.
See Disable Helpers for detail.

v12.4.0

Compare Source

Features

• set x-github-delivery header to event.id for all requests sent from context.octokit in event handlers (#​2026) (f1985e5)

v12.3.4

Compare Source

Bug Fixes

• probot: passes logger to webhooks (#​2010) (3dcb058)

v12.3.3

Compare Source

Bug Fixes

• deps: @octokit/webhooks security update (#​1911) (02d81f8)

v12.3.2

Compare Source

Bug Fixes

• Fix async main function type (#​1672) (fc6886d)

v12.3.1

Compare Source

Bug Fixes

• typescript: simplify ProbotWebhooks object (#​1833) (7b09369)

v12.3.0

Compare Source

Features

• server: add logging options (#​1645) (6c5840d)

v12.2.9

Compare Source

Bug Fixes

• typescript: add missing import (#​1783) (229a01c)

v12.2.8

Compare Source

Bug Fixes

• Make probot receive support complex Probot apps (#​1714) (eff5553)

v12.2.7

Compare Source

Bug Fixes

• receive: --base-url option and GHE_HOST (#​1719) (68c9b91)

v12.2.6

Compare Source

Bug Fixes

• deps: upgrade octokit/types to v7.1.1 (#​1724) (be45120)

v12.2.5

Compare Source

Bug Fixes

• remove update-notifier (#​1706) (05297fb), closes /github.com/probot/probot/issues/1102#issuecomment-570598406

v12.2.4

Compare Source

Bug Fixes

• logging of first octokit instance is not set (#​1676) - thanks @​kammerjaeger @​markjm (646b6a9)

v12.2.3

Compare Source

Bug Fixes

• deps: bump eventsource from 1.1.0 to 2.0.2 (7fd06d6)

v12.2.2

Compare Source

Bug Fixes

• Replaced hbs with express-handlebars (#​1659) (420f886)

v12.2.1

Compare Source

Bug Fixes

• security: bump minimal version of hbs (#​1638) (dd9f5ae)

v12.2.0

Compare Source

Features

• customize account name for manifest creation flow using GH_ORG environment variable (#​1606) (992b480)

v12.1.4

Compare Source

Bug Fixes

• types: export ApplicationFunction (#​1631) (073f087)

v12.1.3

Compare Source

Bug Fixes

• log json in production (#​1598) (bb068d9)

v12.1.2

Compare Source

Bug Fixes

• typescript: add types for context.{repo,issue,pullRequest} (#​1622) (638a3b2)

v12.1.1

Compare Source

Bug Fixes

• update ioredis to non-vulnerable version (#​1589) (f02c549)

v12.1.0

Compare Source

Features

• website: 11ty 🚀 (#​1516) (7a43e9e)

v12.0.0

Compare Source

Features

• update @octokit/webhooks to v9 (#​1559) (4b3ae0e)

BREAKING CHANGES

• remove '*' event
• app.webhooks.middleware has been removed in @octokit/webhooks v9
• removes the webhookPath option on new Probot({}) for the webhooks middleware

v11.4.1

Compare Source

Bug Fixes

• support setting baseUrl on Octokit constructor instead of Probot constructor (#​1552) (453ddd2)

v11.4.0

Compare Source

Features

• logger: custom message key (#​1546) (01c2006)

v11.3.2

Compare Source

Bug Fixes

• skip smee setup by setting NO_SMEE_SETUP to "true" (#​1544) (acd47a6)

v11.3.1

Compare Source

Bug Fixes

• setup: do not enter setup mode if HOST environment variable is set (#​1538) (4d70d69)

v11.3.0

Compare Source

Features

• deprecate usage of the "*" event name (#​1518) (474b773)

v11.2.4

Compare Source

Bug Fixes

• run: await server.load() (#​1517) (8cc1590)

v11.2.3

Compare Source

Bug Fixes

• Update to Contributor Covenant v2 (#​1515) (72b0531)

v11.2.2

Compare Source

Bug Fixes

• add workaround for "appId option is required" when in setup mode (#​1513) (e11b91e)

v11.2.1

Compare Source

Bug Fixes

• bump @octokit/plugin-rest-endpoint-methods to v5 (#​1511) (9342caf)

v11.2.0

Compare Source

Features

• Add dark mode to builtin pages (#​1509) (ce96884)

v11.1.1

Compare Source

Bug Fixes

• update design of probot landing page (#​1508) (0e37427)

v11.1.0

Compare Source

Features

• add onAny and onError methods from @octokit/webhooks (#​1480) (9a24f9d)

v11.0.6

Compare Source

Bug Fixes

• deps: pin version of @​octokit/webhooks (#​1472) (cd14dd4)

v11.0.5

Compare Source

Bug Fixes

• clarify error message in case of invalid app authentication (#​1465) thanks @​eXpire163 (5f1831b)

v11.0.4

Compare Source

Bug Fixes

• TypeScript: fix description of context.pullRequest method (#​1461) (a5779ff)

v11.0.3

Compare Source

Bug Fixes

• correctly import (transpiled) app function for run and receive (#​1457) thanks @​ZauberNerd (2275698)

v11.0.2

Compare Source

Bug Fixes

• typescript: remove options.webhookProxy from Probot constructor (#​1459) (01bb678)

v11.0.1

Compare Source

Bug Fixes

• import app functions transpiled from TypeScript (#​1448) (3356845)

v11.0.0

Compare Source

BREAKING CHANGES

For a smooth upgrade, make sure to update to the latest Probot v10 version first (npm install probot@10), run your tests, and address all deprecation messages. Nearly all removed APIs have previously been deprecated.

• deprecated context.octokit.* have been removed via @octokit/plugin-rest-endpoint-methods v4

• probot.server property removed. Build your own server instead using import { Server } from "probot"

• probot.load() is now asynchronous and no longer returns the instance

• express-async-errors is no longer used.

• Probot constructor parameter no longer supported in createNodeMiddleware(app, { Probot }). Pass a probot instance instead: createNodeMiddleware(app, { probot })

• getOptions() has been removed. Use { probot: createProbot() } instead

• probot.load(appFn) no longer accepts appFn to be a path string. Pass the actual function instead.

• probot.setup() removed. Use the new Server class instead:

  const { Server, Probot } = require("probot")
  const server = new Server({
    // optional:
    host,
    port,
    webhookPath,
    webhookProxy,
    Probot: Probot.defaults({ id, privateKey, ... })
  })
  
  // load probot app function
  await server.load((app) => {})
  
  // start listening to requests
  await server.start()
  // stop server with: await server.stop()

  If you have more than one app function, combine them in a function instead

  const app1 = require("./app1")
  const app2 = require("./app2")
  
  module.exports = function app ({ probot, getRouter }) {
    await app1({ probot, getRouter })
    await app2({ probot, getRouter })
  }

• probot.start() / probot.stop() removed. Use the new Server class instead:

  const { Server, Probot } = require("probot")
  const server = new Server({
    Probot: Probot.defaults({ id, privateKey, ... })
    // optional:
    host,
    port,
    webhookPath,
    webhookProxy,
  })
  
  // load probot app function
  await server.load((app) => {})
  
  // start listening to requests
  await server.start()
  // stop server with: await server.stop()

• REDIS_URL is ignored when using Probot constructor. Use new Probot({ redisConfig: redis://... }) instead

• Probot constructor no longer reads environment variables. Pass options instead, or import { createProbot } from "probot" instead

• Probot.run() has been removed. Use import { run} from "probot" instead

• context.github has been removed. Use context.octokit instead

• context.event has been removed. Use context.name instead

• app.route() has been removed. Use the getRouter() argument from the app function instead: (app, { getRouter }) => { ... }

• app.router has been removed. Use getRouter() from the app function instead: (app, { getRouter }) => { ... }

• probot.logger has been removed. Use probot.log instead

• new Probot({ id }) has been removed. Use new Probot({ appId }) instead

• new Probot({ cert }) has been removed. Use new Probot({ privateKey }) instead

• probot.webhook has been removed. Use probot.webhooks instead

• createProbot(options) no longer supports any keys besides overrides, defaults, or env

• options.throttleOptions has been removed. Set options.Octokit to ProbotOctokit.defaults({ throttle }) instead

• import { Application } from probot has been removed. Use import { Probot } from probot instead, the APIs are the same

v10.19.0

Compare Source

Features

• un-deprecate (app) => {}. Deprecate ({ app, getRouter }) => {} in favor of (app, { getRouter }) => {} (#​1441) (42b043e), closes /github.com/probot/probot/issues/1286#issuecomment-744094299

v10.18.0

Compare Source

Features

• createProbot() (#​1431) (d315f0c)
• new Probot({ appId }) (a94fdca)
• Probot.version, Probot.defaults() (2ff5d21)
• run(appFn, { env }) (3d90806)
• createNodeMiddleware (bdbe94e)
• use new Server class when using probot run binary (8a3599d)

Deprecations

• probot.load() (3d4b363)
• probot.start() / probot.stop() / probot.setup() (7a8f268)
• Deprecates new Probot({ id }) (a94fdca)

Bug Fixes

• `createProbot() without options (8c01e90)
• load app function only once when using createNodeMiddleware (#​1432) (60b702b)
• server: log error requests as [METHOD] /[PATH] [STATUS] - [NUM]ms, e.g POST / 500 - 123ms (9d767e1)

v10.17.3

Compare Source

Bug Fixes

• app.route() with (app) => {} app function (#​1430) (d203219)

v10.17.2

Compare Source

Bug Fixes

• remove GHE_HOST deprecation message when using probot run cli (#​1423) (0ec5f23), closes #​1422

v10.17.1

Compare Source

Bug Fixes

• set default log level correctly to "info" (49153b8)

v10.17.0

Compare Source

Features

• import { run } from "probot". Deprecates Probot.run() (f35b58a)
• new Probot({ baseUrl }). Deprecates GHE_HOST / GHE_PROTOCOL when using with the Probot constructor (7abbef7)
• new Probot({ logLevel }). Deprecates LOG_LEVEL when using Probot constructor (7c46218)
• deprecate INSTALLATION_TOKEN_TTL (dfc59fc)
• deprecate LOG_FORMAT, LOG_LEVEL_IN_STRING, SENTRY_DSN environment variables when using Probot constructor. Pass a custom log instance instead: (514c764)
• deprecate REDIS_URL environment variable when using with the Probot constructor. Use new Probot({ redisConfig: "redis://..." }) instead (1dbd999)

v10.16.0

Compare Source

Features

• use @probot/get-private-key (#​1414) (47d9f3a), closes #​1309

v10.15.0

Compare Source

Features

• context.octokit. Deprecates context.github (#​1413) (0527b98)

v10.14.1

Compare Source

Bug Fixes

• deps: update @octokit/core to latest (#​1412) (9351df4)

v10.14.0

Compare Source

Features

• deprecate { Application } export. Use { Probot } instead, it has the same APIs now. (#​1408) (0e52e05)

v10.13.0

Compare Source

Features

• probot.on() / probot.receive() / probot.auth() (#​1407) (1812cfe)

v10.12.0

Compare Source

Features

• getRouter argument for app function (({ app, getRouter }) => {}) (#​1406) (de3adc1)

v10.11.0

Compare Source

Features

• (app) => {} is now ({ app }) => {} (#​1405) (4bfae5a)

v10.10.2

Compare Source

Bug Fixes

• stop using .webhooks.on("*", handler) in favor of `.webhooks.onAny(handler) (ab6fcb1)

v10.10.1

Compare Source

Bug Fixes

• correct payload type by omitting context keys (#​1389) (2b30518)

v10.10.0

Compare Source

Features

• use octokit-auth-probot (#​1392) (8ba3a8e)

v10.9.5

Compare Source

Bug Fixes

• use webhooks.onError() instead of deprecated webhooks.on("error", ...) (#​1390) (a5b36b3)

v10.9.4

Compare Source

Bug Fixes

• typescript: TypeScript issues TS2305,TS2707,TS7006 (41ee70c), closes #​1387

v10.9.3

Compare Source

Bug Fixes

• types: set correct type for context passed to event handler (#​1378) (05abeef), closes #r501871740

v10.9.2

Compare Source

Bug Fixes

• typescript: adapt for latest @octokit/webhooks (#​1374) (630d78e)

v10.9.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.