Update dependency probot to v14 [SECURITY]#62
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Conversation
f268052 to
8d99104
Compare
88941df to
5a5a025
Compare
5a5a025 to
b5ae208
Compare
b5ae208 to
d5c3a4f
Compare
d5c3a4f to
0ca18a8
Compare
0ca18a8 to
af592ba
Compare
af592ba to
7d80904
Compare
7d80904 to
42685cd
Compare
42685cd to
41e3cf5
Compare
41e3cf5 to
ad60ae4
Compare
ad60ae4 to
acdc682
Compare
acdc682 to
a1fcd85
Compare
a1fcd85 to
57a20b9
Compare
57a20b9 to
02faac0
Compare
1585304 to
17113fb
Compare
17113fb to
da68dc9
Compare
da68dc9 to
876b987
Compare
876b987 to
eca84d6
Compare
eca84d6 to
95090cd
Compare
95090cd to
ab1c850
Compare
ab1c850 to
477010f
Compare
477010f to
7db86c6
Compare
7db86c6 to
42799de
Compare
42799de to
15a46cf
Compare
15a46cf to
eaf60e9
Compare
eaf60e9 to
ff271ad
Compare
ff271ad to
9ece8b4
Compare
9ece8b4 to
368e61d
Compare
368e61d to
ec303d2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^6.0.0→^14.0.0GitHub Vulnerability Alerts
CVE-2023-50728
Impact
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
The problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.
Credit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery).
Patches
Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js
Maintenance release for the reference for octokit/webhooks.js in app.js
Maintenance release for the reference for octokit/webhooks.js in octokit.js
Maintenance release for the reference for octokit/webhooks.js in Protobot
Workarounds
It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HRelease Notes
probot/probot (probot)
v14.3.2Compare Source
Bug Fixes
v14.3.1Compare Source
Bug Fixes
v14.3.0Compare Source
Bug Fixes
Features
v14.2.4Compare Source
Bug Fixes
v14.2.3Compare Source
Bug Fixes
v14.2.2Compare Source
Bug Fixes
v14.2.1Compare Source
Bug Fixes
runif we send SIGINT (#2251) (02862ce)v14.2.0Compare Source
Features
v14.1.0Compare Source
Features
erasableSyntaxOnlyis enforced (#2253) (94b8929)v14.0.6Compare Source
Bug Fixes
v14.0.5Compare Source
Bug Fixes
v14.0.4Compare Source
Bug Fixes
v14.0.3Compare Source
Bug Fixes
v14.0.2Compare Source
Bug Fixes
v14.0.1Compare Source
Bug Fixes
v14.0.0Compare Source
BREAKING CHANGES
@octokit/webhooksv13)octokit.rest.*methodsprivatein Typescript, includingProbot#state, are now private class fields.createNodeMiddleware()is now an async function@sentry/nodeneeds to be installed separately if neededioredisneeds to be installed separately if neededlocalhostby default instead of0.0.0.0.Probot v14 Migration Guide
ESM Only Package
Probot is now exclusively an ESM package. Either migrate to ESM (recommended), or use `require(esm).
Migrating to ESM:
package.json:{ "type": "module" }require()statements with ESMimportsyntax{ "compilerOptions": { "module": "node16", "moduleResolution": "node16" } }For
require(esm):"module": "nodenext"and"moduleResolution": "nodenext""module": "node20"and"moduleResolution": "node20"Node.js Version Requirements
Webhook Type Definitions
Replace webhook type imports:
REST API Access Pattern
Legacy endpoint methods have been removed:
Express Server Removal
The built-in Express server has been removed. To use Express:
HTTP Server no longer listens on
0.0.0.0by defaultThe built-in HTTP server will now listen on
localhostby default, instead of listening on all available interfaces.If you wish to change this behaviour, you can use the
HOSTenvironment variable, or the--hostvariable for theprobot runcommand.Asynchronous Middleware Initialization
createNodeMiddleware()is now asynchronous:v13.4.7Compare Source
Bug Fixes
@octokit/webhooks, remove internalrebindLog()function (#2220) (c4c67c3), closes #2062v13.4.6Compare Source
Bug Fixes
v13.4.5Compare Source
Bug Fixes
v13.4.4Compare Source
Bug Fixes
v13.4.3Compare Source
Bug Fixes
v13.4.2Compare Source
Bug Fixes
v13.4.1Compare Source
Bug Fixes
v13.4.0Compare Source
Features
v13.3.10Compare Source
Bug Fixes
v13.3.9Compare Source
Bug Fixes
@probot/pinoto v2.5.0 (f26cf46), closes #2102v13.3.8Compare Source
Bug Fixes
v13.3.7Compare Source
Bug Fixes
Context(#2073) (23f6eab), closes #1968v13.3.6Compare Source
Bug Fixes
v13.3.5Compare Source
Bug Fixes
v13.3.4Compare Source
Bug Fixes
v13.3.0Compare Source
Features
x-github-deliveryheader toevent.idfor all requests sent fromcontext.octokitin event handlers (#2027) (12944d5)v13.2.2Compare Source
Bug Fixes
v13.2.1Compare Source
Bug Fixes
v13.2.0Compare Source
Features
v13.1.2Compare Source
Bug Fixes
v13.1.1Compare Source
Bug Fixes
v13.1.0Compare Source
Features
Octokitandlog(#1984) (d195264)v13.0.2Compare Source
Bug Fixes
v13.0.1Compare Source
Bug Fixes
v13.0.0Compare Source
Features
BREAKING CHANGES
node-fetchwith the Fetch APIwebhookPathis now/api/github/webhooksprobot receivenow only supports payloads in JSON format, previously also (unintionally) allowed JS.stringto the.verify(),.verifyAndReceive()methods. Passing objects is no longer supportedNote on Vercel deployments:
Set
NODEJS_HELPERSenvironment variable to0in order to prevent Vercel from parsing the response body.See Disable Helpers for detail.
v12.4.0Compare Source
Features
x-github-deliveryheader toevent.idfor all requests sent fromcontext.octokitin event handlers (#2026) (f1985e5)v12.3.4Compare Source
Bug Fixes
v12.3.3Compare Source
Bug Fixes
@octokit/webhookssecurity update (#1911) (02d81f8)v12.3.2Compare Source
Bug Fixes
v12.3.1Compare Source
Bug Fixes
v12.3.0Compare Source
Features
v12.2.9Compare Source
Bug Fixes
v12.2.8Compare Source
Bug Fixes
probot receivesupport complex Probot apps (#1714) (eff5553)v12.2.7Compare Source
Bug Fixes
--base-urloption andGHE_HOST(#1719) (68c9b91)v12.2.6Compare Source
Bug Fixes
v12.2.5Compare Source
Bug Fixes
v12.2.4Compare Source
Bug Fixes
v12.2.3Compare Source
Bug Fixes
v12.2.2Compare Source
Bug Fixes
v12.2.1Compare Source
Bug Fixes
hbs(#1638) (dd9f5ae)v12.2.0Compare Source
Features
GH_ORGenvironment variable (#1606) (992b480)v12.1.4Compare Source
Bug Fixes
ApplicationFunction(#1631) (073f087)v12.1.3Compare Source
Bug Fixes
v12.1.2Compare Source
Bug Fixes
context.{repo,issue,pullRequest}(#1622) (638a3b2)v12.1.1Compare Source
Bug Fixes
v12.1.0Compare Source
Features
v12.0.0Compare Source
Features
@octokit/webhooksto v9 (#1559) (4b3ae0e)BREAKING CHANGES
@octokit/webhooksv9webhookPathoption onnew Probot({})for the webhooks middlewarev11.4.1Compare Source
Bug Fixes
baseUrlon Octokit constructor instead of Probot constructor (#1552) (453ddd2)v11.4.0Compare Source
Features
v11.3.2Compare Source
Bug Fixes
NO_SMEE_SETUPto"true"(#1544) (acd47a6)v11.3.1Compare Source
Bug Fixes
HOSTenvironment variable is set (#1538) (4d70d69)v11.3.0Compare Source
Features
v11.2.4Compare Source
Bug Fixes
server.load()(#1517) (8cc1590)v11.2.3Compare Source
Bug Fixes
v11.2.2Compare Source
Bug Fixes
v11.2.1Compare Source
Bug Fixes
@octokit/plugin-rest-endpoint-methodsto v5 (#1511) (9342caf)v11.2.0Compare Source
Features
v11.1.1Compare Source
Bug Fixes
v11.1.0Compare Source
Features
onAnyandonErrormethods from@octokit/webhooks(#1480) (9a24f9d)v11.0.6Compare Source
Bug Fixes
v11.0.5Compare Source
Bug Fixes
v11.0.4Compare Source
Bug Fixes
context.pullRequestmethod (#1461) (a5779ff)v11.0.3Compare Source
Bug Fixes
v11.0.2Compare Source
Bug Fixes
options.webhookProxyfromProbotconstructor (#1459) (01bb678)v11.0.1Compare Source
Bug Fixes
v11.0.0Compare Source
BREAKING CHANGES
For a smooth upgrade, make sure to update to the latest Probot v10 version first (
npm install probot@10), run your tests, and address all deprecation messages. Nearly all removed APIs have previously been deprecated.deprecated
context.octokit.*have been removed via@octokit/plugin-rest-endpoint-methodsv4probot.serverproperty removed. Build your own server instead usingimport { Server } from "probot"probot.load()is now asynchronous and no longer returns the instanceexpress-async-errorsis no longer used.Probotconstructor parameter no longer supported increateNodeMiddleware(app, { Probot }). Pass aprobotinstance instead:createNodeMiddleware(app, { probot })getOptions()has been removed. Use{ probot: createProbot() }insteadprobot.load(appFn)no longer acceptsappFnto be a path string. Pass the actual function instead.probot.setup()removed. Use the newServerclass instead:If you have more than one app function, combine them in a function instead
probot.start()/probot.stop()removed. Use the newServerclass instead:REDIS_URLis ignored when usingProbotconstructor. Usenew Probot({ redisConfig: redis://... })insteadProbotconstructor no longer reads environment variables. Pass options instead, orimport { createProbot } from "probot"insteadProbot.run()has been removed. Useimport { run} from "probot"insteadcontext.githubhas been removed. Usecontext.octokitinsteadcontext.eventhas been removed. Usecontext.nameinsteadapp.route()has been removed. Use thegetRouter()argument from the app function instead:(app, { getRouter }) => { ... }app.routerhas been removed. UsegetRouter()from the app function instead:(app, { getRouter }) => { ... }probot.loggerhas been removed. Useprobot.loginsteadnew Probot({ id })has been removed. Usenew Probot({ appId })insteadnew Probot({ cert })has been removed. Usenew Probot({ privateKey })insteadprobot.webhookhas been removed. Useprobot.webhooksinsteadcreateProbot(options)no longer supports any keys besidesoverrides,defaults, orenvoptions.throttleOptionshas been removed. Setoptions.OctokittoProbotOctokit.defaults({ throttle })insteadimport { Application } from probothas been removed. Useimport { Probot } from probotinstead, the APIs are the samev10.19.0Compare Source
Features
(app) => {}. Deprecate({ app, getRouter }) => {}in favor of(app, { getRouter }) => {}(#1441) (42b043e), closes /github.com/probot/probot/issues/1286#issuecomment-744094299v10.18.0Compare Source
Features
createProbot()(#1431) (d315f0c)new Probot({ appId })(a94fdca)Probot.version,Probot.defaults()(2ff5d21)run(appFn, { env })(3d90806)Serverclass when usingprobot runbinary (8a3599d)Deprecations
probot.load()(3d4b363)probot.start()/probot.stop()/probot.setup()(7a8f268)new Probot({ id })(a94fdca)Bug Fixes
[METHOD] /[PATH] [STATUS] - [NUM]ms, e.gPOST / 500 - 123ms(9d767e1)v10.17.3Compare Source
Bug Fixes
app.route()with(app) => {}app function (#1430) (d203219)v10.17.2Compare Source
Bug Fixes
GHE_HOSTdeprecation message when usingprobot runcli (#1423) (0ec5f23), closes #1422v10.17.1Compare Source
Bug Fixes
"info"(49153b8)v10.17.0Compare Source
Features
import { run } from "probot". Deprecates Probot.run() (f35b58a)new Probot({ baseUrl }). DeprecatesGHE_HOST/GHE_PROTOCOLwhen using with theProbotconstructor (7abbef7)new Probot({ logLevel }). DeprecatesLOG_LEVELwhen usingProbotconstructor (7c46218)INSTALLATION_TOKEN_TTL(dfc59fc)LOG_FORMAT,LOG_LEVEL_IN_STRING,SENTRY_DSNenvironment variables when usingProbotconstructor. Pass a custom log instance instead: (514c764)REDIS_URLenvironment variable when using with theProbotconstructor. Usenew Probot({ redisConfig: "redis://..." })instead (1dbd999)v10.16.0Compare Source
Features
@probot/get-private-key(#1414) (47d9f3a), closes #1309v10.15.0Compare Source
Features
context.octokit. Deprecatescontext.github(#1413) (0527b98)v10.14.1Compare Source
Bug Fixes
@octokit/coreto latest (#1412) (9351df4)v10.14.0Compare Source
Features
{ Application }export. Use{ Probot }instead, it has the same APIs now. (#1408) (0e52e05)v10.13.0Compare Source
Features
probot.on()/probot.receive()/probot.auth()(#1407) (1812cfe)v10.12.0Compare Source
Features
getRouterargument for app function (({ app, getRouter }) => {}) (#1406) (de3adc1)v10.11.0Compare Source
Features
(app) => {}is now({ app }) => {}(#1405) (4bfae5a)v10.10.2Compare Source
Bug Fixes
.webhooks.on("*", handler)in favor of `.webhooks.onAny(handler) (ab6fcb1)v10.10.1Compare Source
Bug Fixes
v10.10.0Compare Source
Features
octokit-auth-probot(#1392) (8ba3a8e)v10.9.5Compare Source
Bug Fixes
webhooks.onError()instead of deprecatedwebhooks.on("error", ...)(#1390) (a5b36b3)v10.9.4Compare Source
Bug Fixes
v10.9.3Compare Source
Bug Fixes
contextpassed to event handler (#1378) (05abeef), closes #r501871740v10.9.2Compare Source
Bug Fixes
@octokit/webhooks(#1374) (630d78e)v10.9.1Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.