Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency octokit to v3 [security] - autoclosed #1822

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency octokit to v3 [security] - autoclosed #1822

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 16, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
octokit ^2.1.0 -> ^3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

Maintenance release for the reference for octokit/webhooks.js in app.js

Maintenance release for the reference for octokit/webhooks.js in octokit.js

Maintenance release for the reference for octokit/webhooks.js in Protobot

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Release Notes

octokit/octokit.js (octokit)

v3.1.2

Compare Source

Bug Fixes
  • updates app.js for the handling of an error being thrown by the verify method in webhooks.js (#​2576) (b59da80)

v3.1.1

Compare Source

Bug Fixes

v3.1.0

Compare Source

Features

v3.0.0

Compare Source

Features
BREAKING CHANGES
  • Drop support for NodeJS v14, v16
  • Remove previews support for the REST API
  • remove agent option from octokit.request()
  • Replace support for Node.js http(s) Agents with documentation on using fetch dispatchers instead (via @octokit/request)
  • Remove ability to pass custom request options, except for method, headers, body, signal (via @​octokit/request)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Seoul, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the chore:deps Issue or PR related to dependencies label Dec 16, 2023
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 16, 2023
edited
Loading

⚠️ No Changeset found

Latest commit: 0eef839

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-octokit-vulnerability branch from 87d57a7 to acefac2 Compare December 20, 2023 07:42
@sungik-choi sungik-choi marked this pull request as draft January 3, 2024 06:36
@renovate renovate bot force-pushed the renovate/npm-octokit-vulnerability branch from acefac2 to b2f717e Compare January 15, 2024 09:57
@renovate renovate bot force-pushed the renovate/npm-octokit-vulnerability branch from b2f717e to 0eef839 Compare February 19, 2024 10:59
@renovate renovate bot changed the title fix(deps): update dependency octokit to v3 [security] fix(deps): update dependency octokit to v3 [security] - autoclosed Feb 27, 2024
@renovate renovate bot closed this Feb 27, 2024
@renovate renovate bot deleted the renovate/npm-octokit-vulnerability branch February 27, 2024 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sungik-choi sungik-choi Awaiting requested review from sungik-choi sungik-choi is a code owner

@yangwooseong yangwooseong Awaiting requested review from yangwooseong yangwooseong is a code owner

Assignees
No one assigned
Labels
chore:deps Issue or PR related to dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants