chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed #31

renovate · 2023-12-16T05:10:29Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@octokit/webhooks	`^7.1.2` -> `^9.0.0`

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

v12 - v12.0.4
v11 - v11.1.2
v10 -v10.9.2
v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Release Notes

octokit/webhooks.js (@octokit/webhooks)

`v9.26.3`

Compare Source

Bug Fixes

try to release with previously used semantic-release version (a674dd6)

`v9.26.2`

Compare Source

Bug Fixes

trigger another release (cce5722), closes #issuecomment-1812983128

`v9.26.1`

Compare Source

Bug Fixes

handles verify error (#917) (0504ad8)

`v9.26.0`

Compare Source

Features

types: webhooks updates via @octokit/webhooks v5.8.0 (#680) (c9b66b1)

`v9.25.0`

Compare Source

Features

types: new projects_v2_item event (#679) (c8c6a38)

`v9.24.0`

Compare Source

Features

types: webhooks types updates via @octokit/webhooks v5.6.0 (#677) (637603b)

`v9.23.0`

Compare Source

Features

types: new repository_vulnerability_alert.reopen event, remove workflow_job.started event, and many other type updates for events via @octokit/webhooks-types to v5.5.1 (#674) (f147fa3)

`v9.22.0`

Compare Source

Features

types: updates to deployment and deployment_status events, new deployment property for check_run event (#662) (ebf8f49)

`v9.21.0`

Compare Source

Features

types: new changes.base property on pull_request#edited, new merged_at property on issues common schema, new rerequestable property on check_suite#completed, new log_url property on deployment#created, remove content_reference event (#660) (9fdd549)

`v9.20.0`

Compare Source

Features

types: new pull_request_review_thread event (#659) (768ce13)

`v9.19.0`

Compare Source

Features

update @octokit/webhooks-types to v4.16 (#658) (d185662)

`v9.18.0`

Compare Source

Features

types: description updates for the workflow_run event (#657) (bad7bf7)

Features

types: add missing event workflow_job.in_progress, description updates for push event payload properties (#647) (07279dc)

`v9.15.1`

Compare Source

Bug Fixes

types: add ability to remove onAny listeners again (#645) (2b00d86)

`v9.15.0`

Compare Source

Features

types: add missing workflow_job.queued event (#633) (b611fee)

`v9.14.2`

Compare Source

Bug Fixes

types: allow non-truthy values in generated output (#632) (c51e5ee)

`v9.14.1`

Compare Source

Bug Fixes

handle invalid URL (#611) (7843cb2)

`v9.14.0`

Compare Source

Features

export emitterEventNames (#626) (976c7c4)

`v9.13.0`

Compare Source

Features

types: new branch_protection_rule event (#624) (8e5099d)

`v9.12.0`

Compare Source

Features

add workflow_job event (#614) (5700a1a)

`v9.11.0`

Compare Source

Features

types: updates to Installation and Commit common interfaces, updates to MemberAdded, RepositoryVulnerabilityAlertResolve, RepositoryEdited events (#607) (406fd8f)

`v9.10.0`

Compare Source

Features

typescript: export the EmitterWebhookEventName type (#604) (b09d164)

`v9.9.0`

Compare Source

Features

types: new labeled & unlabeled actions for DiscussionEvent, Discussion#state can be converting, active_lock_reason can be null in DiscussionLockedEvent, LabelEditedEvent#changes now contains a description object (#603) (68861f4)

`v9.8.4`

Compare Source

Bug Fixes

types: add new properties for the Container registry to PackageEvent (#596) (984f3f5)

`v9.8.3`

Compare Source

Bug Fixes

remove all whitespace when stringifying a webhook event payload object to a JSON string for verifycation (#595) (3e0f2a0)

`v9.8.2`

Compare Source

Bug Fixes

types: add changes object for IssuesTransferredEvent and for IssuesOpenedEvent when the issue is transferred (#592) (7d6a81d), closes #590 #591

`v9.8.1`

Compare Source

Bug Fixes

bump @octokit/webhooks-methods to ^2.0.0 (#587) (3344b9f)

`v9.8.0`

Compare Source

Features

octokit.verifyAndReceive() accepts raw string payload (#586) (435344b)

`v9.7.0`

Compare Source

Features

update {App, Installation}#permissions with additional permissions, add changes property to RepositoryRenamedEvent, ReleaseAsset#label can be null, Installation#suspended_{at, by} are always present, fix WorkflowRun#pull_requests is not PullRequest[] but a simpler type (01891fc)

`v9.6.3`

Compare Source

Bug Fixes

typescript: issue_comment event description update (#573) (da05374)

`v9.6.2`

Compare Source

Bug Fixes

types: add missing properties to events, update properties types (via @octokit/webhooks-types v3.75.1) (#570) (a2fd414)

`v9.6.1`

Compare Source

Bug Fixes

types: PullRequest#body can be of type string or null, Release#{body, name} are only of type string (#566) (7643a67)

`v9.6.0`

Compare Source

Features

types: fix workflow_run#conclusion is not always null, add new app_id to MarketplacePurchase#account, add requester to installation_repositories.removed, add enums for various properties (#565) (9eef640)

`v9.5.1`

Compare Source

Bug Fixes

types: an issue's body can be empty and thus be null (#562) (7cb03b3), closes #561

`v9.5.0`

Compare Source

Features

types: new withdrawn action for security_advisory event (#560) (610d82b)

`v9.4.0`

Compare Source

Features

types: requester in InstallationRepositoriesAddedEvent can be null and is now set as required, closed_at in IssueCommentEvent isn't always null (#558) (fcafa8d)

`v9.3.0`

Compare Source

Features

types: add missing permissions in Installation#removed, add null to various properties, list all events instead of string[] in Installation#events, add string to PushEvent#base_ref (#557) (47211c7)

`v9.2.0`

Compare Source

Features

types: add new changes property to ProjectColumnEditedEvent and make ProjectCard#content_url optional (#550) (d4f9b4b)

`v9.1.2`

Compare Source

Bug Fixes

types: update properties in PullRequestReviewCommentEvent and WorkflowRunDispatchEvent (#547) (6f317c4)

`v9.1.1`

Compare Source

Bug Fixes

update some property types with new information (#543) (31fd4ef)

`v9.1.0`

Compare Source

Features

update package to use new packages split from @octokit/webhooks-defintions (#539) (698e793)

`v9.0.1`

Compare Source

Bug Fixes

middleware: pass on to the next middleware in case of express (#534) (07f19fe)

`v9.0.0`

Compare Source

BREAKING CHANGES

createWebhooksApi() has been removed. Use new Webhooks() instead
webhooks.middleware has been removed. Use createNodeMiddleware() instead
createMiddleware has been removed. Use createNodeMiddleware() instead
deprecated path option for Webhooks constructor has been removed. Use createNodeMiddleware(webhooks, { path }) instead
all usage of debug has been removed. Use the log option instead

webhooks.sign now default to sha256 algorithm. In order to continue to use sha1, replace

webhooks.sign(secret, payload)

with

webhooks.sign({ secret, algorith: "sha1" }, payload)

webhooks.sign() and webhooks.verify() are now asynchronous
static sign and verify methods are no longer exported. Use @octokit/webhooks-methods package instead

`v8.12.3`

Compare Source

Bug Fixes

correct spelling error in DiscussionTransferredEvent event name (#532) (5bd1901)

`v8.12.2`

Compare Source

Bug Fixes

typescript: username property on Committer can be not present #530) (720f92b)

`v8.12.1`

Compare Source

Bug Fixes

typescript: add some missing properties to event payloads (#529) (3072c79)

`v8.12.0`

Compare Source

Features

typescript: add new is_one_time and is_custom_ammount to SponsorshipTier (e75d17a)

`v8.11.2`

Compare Source

Bug Fixes

types: allow IncomingMessage to have bodies of other types (#524) (01c38e8)

`v8.11.1`

Compare Source

Bug Fixes

use options.onUnhandledRequest in createNodeMiddleware(webhooks, options) (#519) (69c39f0)

`v8.11.0`

Compare Source

Features

typescript: add new DiscussionEvent and DiscussionCommentEvent types, fix types for Installation#requester to be User and not null (#523) (995b48d)

`v8.10.1`

Compare Source

Bug Fixes

typescript: remove description from objects in order to stop duplication (#517) (5121039)

`v8.10.0`

Compare Source

Features

typescript: compile-time error when missing secret option (#461) (deefd69)

`v8.9.0`

Compare Source

Features

createNodeMiddleware() (#509) (8292596)

`v8.8.3`

Compare Source

Bug Fixes

remove null override on IssueCommentEditedEvent#issue.closed_at (#516) (8fef083)

`v8.8.2`

Compare Source

Bug Fixes

typescript: update description for GollumEvent (#512) (0eb0783)

`v8.8.1`

Compare Source

Bug Fixes

typescript: default TTransformed in Webhooks type parameter to unknown (#514) (21f21b0)

`v8.8.0`

Compare Source

Features

deprecate createWebhooksApi() (#511) (f8f3d15)

`v8.7.2`

Compare Source

Bug Fixes

typescript: improve type of WorkflowRun#conclusion property (#506) (f5f55b6)

`v8.7.1`

Compare Source

Bug Fixes

typescript: update URL in the descriptions for RepositoryVulnerabilityAlertEvent and SecurityAdvisoryEvent (#505) (b2be1a1)

`v8.7.0`

Compare Source

Features

typescript: add descriptions to webhooks payload interface properties (#503) (7bf22c9)

`v8.6.2`

Compare Source

Bug Fixes

typescript: add check_suite_id property to WorkflowRun interface & remove sender property from SecretScanningAlertCreatedEvent (#501) (dec3f63)

`v8.6.1`

Compare Source

Bug Fixes

typescript: add auto_merge property to PullRequest and add email permission to App (#500) (6ba0ae9)

`v8.6.0`

Compare Source

Features

typescript: add description for {CreateEvent, DeleteEvent}#pusher_type property (#499) (2dfe3a9)

`v8.5.4`

Compare Source

Bug Fixes

typescript: revert #459 & #464 (#494) (11d6e36)

`v8.5.3`

Compare Source

Bug Fixes

deps: explicitly specify that TS 4.1 is required (#485) (b5fdf2a)

`v8.5.2`

Compare Source

Bug Fixes

typescript: HandlerFunction argument (#464) (aad9b74)

`v8.5.1`

Compare Source

Bug Fixes

types: update WorkflowRun#pull_request with the PullRequest interface instead of unknown (2b7490f)

`v8.5.0`

Compare Source

Features

typescript: new deployment object for CheckRunEvent; cleanup properties in issue and pull_request events; fix GitHubOrg interface values (#478) (639896f)

`v8.4.1`

Compare Source

Bug Fixes

typescript: compile-time invalid argument errors (#465) (ceacf57)

`v8.4.0`

Compare Source

Features

typescript: use the Github org values as defaults for the sender property in CodeScanningAlert (#468) (59d2ca9)

`v8.3.0`

Compare Source

Features

typescript: update CodeScanningAlert#{AppearedInBranch,Created,Fixed,Reopened} types to include a sender field defaulted to GitHub (#450) (6106784)

`v8.2.0`

Compare Source

Features

typescript: compile-time missing options error (#458) (a3b1c6b)

`v8.1.1`

Compare Source

Bug Fixes

typescript: simplify TransformMethod type (#460) (245cee3)

`v8.1.0`

Compare Source

Features

logging: add log option (#457) (661572a)

`v8.0.3`

Compare Source

Bug Fixes

typescript: infer TTransformed from createEventHandler() options (#459) (d2a0b73)

`v8.0.2`

Compare Source

First stable 8.x release, see release notes for v8.0.0

Bug Fixes

typescript: add enum to delete#ref_type to match create event (via @octokit/webhooks-definitions v3.58.1) (#449) (fd1477c)

`v8.0.1`

Compare Source

Bug Fixes

throw an error if * or error events are passed to #on (560ff73)

`v8.0.0`

Compare Source

BREAKING CHANGES

payload types have been renamed and refactored
passing * as an event name is no longer supported
passing error as an event name is no longer supported

Features

make @octokit/webhooks-definitions a dependency (c4ed3d8)
refactor types (8e81a5a)
remove deprecated payload types (ca8c6f1)
remove deprecated properties from error types (bae6624)
remove support for * event (4b20ca7)
remove support for error event (b2d5c70)

Bug Fixes

typos (2db33e5)

`v7.24.3`

Compare Source

Bug Fixes

typescript: add enum to delete#ref_type to match create event (via @octokit/webhooks-definitions v3.58.1) (#449) (fd1477c)

`v7.24.2`

Compare Source

Bug Fixes

typescript: resolve correct value for BaseWebhookEvent#name (#435) (aaec66e)

`v7.24.1`

Compare Source

Bug Fixes

types: webhooks type fixes (#433) (a4335d0)

`v7.23.0`

Compare Source

Features

types: receive() type improvement for consistency with event-handler one (#428) (09c83b4)

`v7.22.0`

Compare Source

Bug Fixes

type the return of createEventHandler (#422) (28f6a42)

Features

use new types from @octokit/webhooks-definitions (#406) (d3df9f3)

`v7.21.0`

Compare Source

Features

typescript: deduplicate Sender type (#397) (87b514e)

`v7.20.1`

Compare Source

Bug Fixes

typescript: WebhookPayloadMarketplacePurchaseMarketplacePurchaseAccount#node_id property (4593108)

`v7.20.0`

Compare Source

Features

typescript: type action property on payloads (#392) thanks @G-Rath (c5062b7)

`v7.19.0`

Compare Source

Features

typescript: better payload definitions (#391) (341a8b2)

`v7.18.3`

Compare Source

Bug Fixes

typescript: eventPayload parameter for Webhooks#verify can be string (#388) (bc4a071)

`v7.18.2`

Compare Source

Bug Fixes

mark eventPayload param for verify as string | object (#387) (1c405ab)

`v7.18.1`

Compare Source

Bug Fixes

move @pika/plugin-ts-standard-pkg to devDependencies (#380) (db6bd16)

`v7.18.0`

Compare Source

Features

typescript: export EventTypesPayload type (#372) (7d1948e)

`v7.17.0`

Compare Source

Features

typescript: adds organization to ping event types (#378) (393d65c)
typescript: type algorithm property for sign options (#377) (84f753b)

`v7.16.1`

Compare Source

Bug Fixes

typescript: mark verify parameters as required (#373) thanks @G-Rath (fc4ddd3)

`v7.16.0`

Compare Source

Features

secret_scanning_alert event (fe02719)

`v7.15.2`

Compare Source

Bug Fixes

typescript: add types for check_run.requested_action (#370) thanks @codebytere (7f20987)

`v7.15.1`

Compare Source

Bug Fixes

prefix error messages with "[@octokit/webhooks] " (#339) (79cfd19)

`v7.15.0`

Compare Source

Features

Add onAny and onEvent functions (#324) (3117844)

`v7.14.0`

Compare Source

Features

sign: support sha256 algorithm (#322) (35921fc)

`v7.13.1`

Compare Source

Bug Fixes

typescript: optional installation key in payload (#327) (6ff2cd8)

`v7.13.0`

Compare Source

Features

export WebhooksEvents from @octokit/webhooks.js (#321) (2323461)

`v7.12.2`

Compare Source

Bug Fixes

typescript: add optional "organization" key to event payloads (#300) (89aa7f7)

`v7.12.1`

Compare Source

Bug Fixes

typescript autocomplete and types for public api (#292) (22e9ff9)

`v7.12.0`

Compare Source

Features

proper types for requested_reviewers, labels, assignees (#296) (f52f20c)

`v7.11.4`

Compare Source

Bug Fixes

README: Constructor example: WebhooksApi -> Webhooks (#280) (f0db6f7)

`v7.11.3`

Compare Source

Bug Fixes

typescript: workaround for trouble with aggregate-error type exports (#245) (#270) (d2c90ac)

`v7.11.2`

Compare Source

Bug Fixes

deps: Depend on aggregate-error 3.1.0 (#236) (d4bd29b), closes #235

`v7.11.1`

Compare Source

Bug Fixes

deps: bump aggregate-error from 3.0.1 to 3.1.0 (#216) (b359fde)

`v7.11.0`

Compare Source

Features

typescript: export WebhookError (#204) (c3b320b)

`v7.10.0`

Compare Source

Features

reply after 9s with 202 status (#190) (dfdfc46)

`v7.9.4`

Compare Source

Bug Fixes

set encoding before reading payload for signature verification (#202) (9ad154d)

`v7.9.3`

Compare Source

Bug Fixes

typescript: Change options to match the ones from other octokit repos (b4d3e8b)

`v7.9.2`

Compare Source

Bug Fixes

typescript: Remove file extension from import (#193) (459f5da), closes #188

`v7.9.1`

Compare Source

Bug Fixes

assure that errors are always instances of AggregateError (4b2ec11)

`v7.9.0`

Compare Source

Features

set common error types from Octokit request errors (#183) (c57780f)

`v7.8.2`

Compare Source

Bug Fixes

typescript: WebhookPayloadPullRequest["installation"] (#179) (89dca08)

`v7.8.1`

Compare Source

Bug Fixes

package: release settings (#175) (ecdc9a1)

`v7.8.0`

Compare Source

Features

TypeScript: Webhook events are now an enum instead of a list of strings. Webhook event name types can be imported as EventNames

TypeScript changes

Webhooks.WebhookEvent type is now just WebhookEvent
Webhooks.WebhookPayload* types are now EventPayloads.WebhookPayload*

`v7.7.0`

Compare Source

Features

"workflow_dispatch" event and new actions for "pull_request", "release", and "sponsorship" (#168) (c9ef605)

`v7.6.5`

Compare Source

Bug Fixes

types: Update "sign" and "verify" types in generate-types.js (#161) (9c4080d)

`v7.6.4`

Compare Source

Bug Fixes

README: link to event-handler module docs (#155) (e566b49)

`v7.6.3`

Compare Source

Bug Fixes

docs: fix links in README (#150) (6f23f6a)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update dependency @octokit/webhooks to v9 [security]

aab97a1

renovate bot changed the title ~~chore(deps): update dependency @octokit/webhooks to v9 [security]~~ chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed Aug 10, 2024

renovate bot closed this Aug 10, 2024

renovate bot deleted the renovate/npm-@octokit/webhooks-vulnerability branch August 10, 2024 17:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed #31

chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed #31

Uh oh!

renovate bot commented Dec 16, 2023 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed #31

chore(deps): update dependency @octokit/webhooks to v9 [security] - autoclosed #31

Uh oh!

Conversation

renovate bot commented Dec 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Features

Features

Features

Features

Features

Features

Features

Features

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Features

Features

Features

Features

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Features

Features

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

BREAKING CHANGES

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

renovate bot commented Dec 16, 2023 •

edited

Loading