Update dependency probot to v12 [SECURITY] #87
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^9.2.10
->^12.0.0
GitHub Vulnerability Alerts
CVE-2023-50728
Impact
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
The problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.
Credit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery).
Patches
Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js
Maintenance release for the reference for octokit/webhooks.js in app.js
Maintenance release for the reference for octokit/webhooks.js in octokit.js
Maintenance release for the reference for octokit/webhooks.js in Protobot
Workarounds
It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.
Release Notes
probot/probot (probot)
v12.3.3
Compare Source
Bug Fixes
@octokit/webhooks
security update (#1911) (02d81f8)v12.3.2
Compare Source
Bug Fixes
v12.3.1
Compare Source
Bug Fixes
v12.3.0
Compare Source
Features
v12.2.9
Compare Source
Bug Fixes
v12.2.8
Compare Source
Bug Fixes
probot receive
support complex Probot apps (#1714) (eff5553)v12.2.7
Compare Source
Bug Fixes
--base-url
option andGHE_HOST
(#1719) (68c9b91)v12.2.6
Compare Source
Bug Fixes
v12.2.5
Compare Source
Bug Fixes
v12.2.4
Compare Source
Bug Fixes
v12.2.3
Compare Source
Bug Fixes
v12.2.2
Compare Source
Bug Fixes
v12.2.1
Compare Source
Bug Fixes
hbs
(#1638) (dd9f5ae)v12.2.0
Compare Source
Features
GH_ORG
environment variable (#1606) (992b480)v12.1.4
Compare Source
Bug Fixes
ApplicationFunction
(#1631) (073f087)v12.1.3
Compare Source
Bug Fixes
v12.1.2
Compare Source
Bug Fixes
context.{repo,issue,pullRequest}
(#1622) (638a3b2)v12.1.1
Compare Source
Bug Fixes
v12.1.0
Compare Source
Features
v12.0.0
Compare Source
Features
@octokit/webhooks
to v9 (#1559) (4b3ae0e)BREAKING CHANGES
@octokit/webhooks
v9webhookPath
option onnew Probot({})
for the webhooks middlewareCo-authored-by: wolfy1339 [email protected]
v11.4.1
Compare Source
Bug Fixes
baseUrl
on Octokit constructor instead of Probot constructor (#1552) (453ddd2)v11.4.0
Compare Source
Features
v11.3.2
Compare Source
Bug Fixes
NO_SMEE_SETUP
to"true"
(#1544) (acd47a6)v11.3.1
Compare Source
Bug Fixes
HOST
environment variable is set (#1538) (4d70d69)v11.3.0
Compare Source
Features
v11.2.4
Compare Source
Bug Fixes
server.load()
(#1517) (8cc1590)v11.2.3
Compare Source
Bug Fixes
v11.2.2
Compare Source
Bug Fixes
v11.2.1
Compare Source
Bug Fixes
@octokit/plugin-rest-endpoint-methods
to v5 (#1511) (9342caf)v11.2.0
Compare Source
Features
v11.1.1
Compare Source
Bug Fixes
v11.1.0
Compare Source
Features
onAny
andonError
methods from@octokit/webhooks
(#1480) (9a24f9d)v11.0.6
Compare Source
Bug Fixes
v11.0.5
Compare Source
Bug Fixes
v11.0.4
Compare Source
Bug Fixes
context.pullRequest
method (#1461) (a5779ff)v11.0.3
Compare Source
Bug Fixes
v11.0.2
Compare Source
Bug Fixes
options.webhookProxy
fromProbot
constructor (#1459) (01bb678)v11.0.1
Compare Source
Bug Fixes
v11.0.0
Compare Source
BREAKING CHANGES
For a smooth upgrade, make sure to update to the latest Probot v10 version first (
npm install probot@10
), run your tests, and address all deprecation messages. Nearly all removed APIs have previously been deprecated.deprecated
context.octokit.*
have been removed via@octokit/plugin-rest-endpoint-methods
v4probot.server
property removed. Build your own server instead usingimport { Server } from "probot"
probot.load()
is now asynchronous and no longer returns the instanceexpress-async-errors
is no longer used.Probot
constructor parameter no longer supported increateNodeMiddleware(app, { Probot })
. Pass aprobot
instance instead:createNodeMiddleware(app, { probot })
getOptions()
has been removed. Use{ probot: createProbot() }
insteadprobot.load(appFn)
no longer acceptsappFn
to be a path string. Pass the actual function instead.probot.setup()
removed. Use the newServer
class instead:If you have more than one app function, combine them in a function instead
probot.start()
/probot.stop()
removed. Use the newServer
class instead:REDIS_URL
is ignored when usingProbot
constructor. Usenew Probot({ redisConfig: redis://... })
insteadProbot
constructor no longer reads environment variables. Pass options instead, orimport { createProbot } from "probot"
insteadProbot.run()
has been removed. Useimport { run} from "probot"
insteadcontext.github
has been removed. Usecontext.octokit
insteadcontext.event
has been removed. Usecontext.name
insteadapp.route()
has been removed. Use thegetRouter()
argument from the app function instead:(app, { getRouter }) => { ... }
app.router
has been removed. UsegetRouter()
from the app function instead:(app, { getRouter }) => { ... }
probot.logger
has been removed. Useprobot.log
insteadnew Probot({ id })
has been removed. Usenew Probot({ appId })
insteadnew Probot({ cert })
has been removed. Usenew Probot({ privateKey })
insteadprobot.webhook
has been removed. Useprobot.webhooks
insteadcreateProbot(options)
no longer supports any keys besidesoverrides
,defaults
, orenv
options.throttleOptions
has been removed. Setoptions.Octokit
toProbotOctokit.defaults({ throttle })
insteadimport { Application } from probot
has been removed. Useimport { Probot } from probot
instead, the APIs are the samev10.19.0
Compare Source
Features
(app) => {}
. Deprecate({ app, getRouter }) => {}
in favor of(app, { getRouter }) => {}
(#1441) (42b043e), closes /github.com/probot/probot/issues/1286#issuecomment-744094299v10.18.0
Compare Source
Features
createProbot()
(#1431) (d315f0c)new Probot({ appId })
(a94fdca)Probot.version
,Probot.defaults()
(2ff5d21)run(appFn, { env })
(3d90806)Server
class when usingprobot run
binary (8a3599d)Deprecations
probot.load()
(3d4b363)probot.start()
/probot.stop()
/probot.setup()
(7a8f268)new Probot({ id })
(a94fdca)Bug Fixes
[METHOD] /[PATH] [STATUS] - [NUM]ms
, e.gPOST / 500 - 123ms
(9d767e1)v10.17.3
Compare Source
Bug Fixes
app.route()
with(app) => {}
app function (#1430) (d203219)v10.17.2
Compare Source
Bug Fixes
GHE_HOST
deprecation message when usingprobot run
cli (#1423) (0ec5f23), closes #1422v10.17.1
Compare Source
Bug Fixes
"info"
(49153b8)v10.17.0
Compare Source
Features
import { run } from "probot"
. Deprecates Probot.run() (f35b58a)new Probot({ baseUrl })
. DeprecatesGHE_HOST
/GHE_PROTOCOL
when using with theProbot
constructor (7abbef7)new Probot({ logLevel })
. DeprecatesLOG_LEVEL
when usingProbot
constructor (7c46218)INSTALLATION_TOKEN_TTL
(dfc59fc)LOG_FORMAT
,LOG_LEVEL_IN_STRING
,SENTRY_DSN
environment variables when usingProbot
constructor. Pass a custom log instance instead: (514c764)REDIS_URL
environment variable when using with theProbot
constructor. Usenew Probot({ redisConfig: "redis://..." })
instead (1dbd999)v10.16.0
Compare Source
Features
@probot/get-private-key
(#1414) (47d9f3a), closes #1309v10.15.0
Compare Source
Features
context.octokit
. Deprecatescontext.github
(#1413) (0527b98)v10.14.1
Compare Source
Bug Fixes
@octokit/core
to latest (#1412) (9351df4)v10.14.0
Compare Source
Features
{ Application }
export. Use{ Probot }
instead, it has the same APIs now. (#1408) (0e52e05)v10.13.0
Compare Source
Features
probot.on()
/probot.receive()
/probot.auth()
(#1407) (1812cfe)v10.12.0
Compare Source
Features
getRouter
argument for app function (({ app, getRouter }) => {}
) (#1406) (de3adc1)v10.11.0
Compare Source
Features
(app) => {}
is now({ app }) => {}
(#1405) (4bfae5a)v10.10.2
Compare Source
Bug Fixes
.webhooks.on("*", handler)
in favor of `.webhooks.onAny(handler) (ab6fcb1)v10.10.1
Compare Source
Bug Fixes
v10.10.0
Compare Source
Features
octokit-auth-probot
(#1392) (8ba3a8e)v10.9.5
Compare Source
Bug Fixes
webhooks.onError()
instead of deprecatedwebhooks.on("error", ...)
(#1390) (a5b36b3)v10.9.4
Compare Source
Bug Fixes
v10.9.3
Compare Source
Bug Fixes
context
passed to event handler (#1378) (05abeef), closes #r501871740v10.9.2
Compare Source
Bug Fixes
@octokit/webhooks
(#1374) (630d78e)v10.9.1
Compare Source
Bug Fixes
options.throttle
passed to{Octokit: ProbotOctokit.defaults(options)}
(#1373) (9483546)v10.9.0
Compare Source
Features
new Application({ throttleOptions })
(#1365) (f537204)v10.8.1
Compare Source
Bug Fixes
use
@probot/octokit-plugin-config
forcontext.config
(#1362) (a235671)If you mocked http requests for configuration files, you will have to adapt them. Instead of returning a JSON response with a
{ content }
object, wherecontent
is a base64 encoded version of your raw configuration, you can now return the content without encoding directly. ExampleBefore
After
v10.8.0
Compare Source
Features
v10.7.1
Compare Source
Bug Fixes
v10.7.0
Compare Source
Features
v10.6.0
Compare Source
Features
v10.5.0
Compare Source
Features
v10.4.1
Compare Source
Bug Fixes
v10.4.0
Compare Source
Features
v10.3.0
Compare Source
Features
v10.2.0
Compare Source
Features
installation.id
and username to repository owner login (when present) (#1337) (4cf7de9)v10.1.5
Compare Source
Bug Fixes
v10.1.4
Compare Source
Bug Fixes
LOG_FORMAT=json
(86c1973)v10.1.3
Compare Source
Bug Fixes
../lib/private-key
" error when runningprobot receive
(#1332) (d671d82)v10.1.2
Compare Source
Bug Fixes
v10.1.1
Compare Source
v10 release notes
This is the first stable release for v10. See all breaking changes and new features at
https://github.com/probot/probot/releases/tag/v10.0.0
Bug Fixes
app.auth(installationId)
returnsoctokit
instance with all required installation authentication settings (#1326) (410302f)v10.1.0
Compare Source
Features
v10.0.1
Compare Source
Bug Fixes
v10.0.0
Compare Source
Breaking changes
@octokit/rest
has been updated from v16 to v17. See release notes. Important: If you currently mockedcontext.github.*
methods in your test, replace these with http mocks using nock instead, otherwise your tests will create methods that no longer exist and you will see errors in production although your tests passed. See https://github.com/wip/app/pull/238 for an exampleURL parameters are now always encoded when using
context.github.*
methods. For example, if you usecontext.github.repos.getContent( owner, repo, path )
make sure to not encode the value forpath
. Also if you were mocking http requests in your tests, replace e.g.repos/octocat/hello-world/contents/.github/config.yml
withrepos/octocat/hello-world/contents/.github%2Fconfig.yml
require Node 10.21+
Logging: an object with extra information must be passed as first argument. Passing it as last argument is no longer supported.
before
after
The logging output changed. Before, probot used bunyan with all kind of hacks and customizations for its log output. Now we use pino. We still do the formatting and sending errors to Sentry in the same process, but the logic is now encapsulated in
@probot/pino
. We might decouple it in future as part of making Probot more suitable for serverless/function environmentscontext.issue()
now returns.issue_number
instead of.number
. Usecontext.pullRequest()
foroctokit.pulls.*
method calls.registry_package
event was renamed topackage
The
probot
package no longer exportsOctokit
. UseProbotOctokit
instead.Probot
no longer acceptsoptions.throttlingOptions
. In order to disable throttling for testing, setoptions.Octokit
toProbotOctokit.defaults({ retry: { enabled: false }, throttle: { enabled: false } })
:Undocumented & untested APIs removed
probot.errorHandler
probot.httpServer
app.log.target
has been removed.router
option forApplication
contructor:new Application({ router })
Features
@octokit/rest
to v17@octokit/webhooks
to v7context.pullRequest()
probot.log
(probot.logger
is now deprecated)probot.stop()
(Replaces undocumentedprobot.httpServer
)bunyan
withpino
for loggingBug Fixes
v9.15.1
Compare Source
Bug Fixes
v9.15.0
Compare Source
bad release, sorry
v9.14.2
Compare Source
Bug Fixes
v9.14.1
Compare Source
Bug Fixes
v9.14.0
Compare Source
Features
v9.13.2
Compare Source
Bug Fixes
v9.13.1
Compare Source
v9.13.0
Compare Source
Features
throttleOptions
for Probot constructor (#1272) (ac86ffb)v9.12.0
Compare Source
Features
GET /probot/stats
is deprecated and will be removed in v10 (#1268) (1c31415)v9.11.7
Compare Source
Bug Fixes
v9.11.6
Compare Source
Bug Fixes
v9.11.5
Compare Source
Bug Fixes
v9.11.4
Compare Source
Bug Fixes
v9.11.3
Compare Source
Bug Fixes
v9.11.2
Compare Source
Bug Fixes
v9.11.1
Compare Source
Bug Fixes
v9.11.0
Compare Source
Features
v9.10.2
Compare Source
Bug Fixes
v9.10.1
Compare Source
Bug Fixes
v9.10.0
Compare Source
Features
v9.9.8
Compare Source
Bug Fixes
v9.9.7
Compare Source
Bug Fixes
v9.9.6
Compare Source
Bug Fixes
v9.9.5
Compare Source
Bug Fixes
v9.9.4
Compare Source
Bug Fixes
v9.9.1
Compare Source
Bug Fixes
v9.9.0
Compare Source
Features
v9.8.1
Compare Source
Bug Fixes
publish-docs
stage to Travis build (#1100) (f90057e)v9.8.0
Compare Source
Bug Fixes
/app
response (#1092) (28a4d43)Features
v9.7.0
Compare Source
Features
v9.6.6
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.