feat(security): Add provenance #671
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with |
wolfy1339
approved these changes
Apr 3, 2024
wolfy1339
added
the
Type: Maintenance
|
I think it would be wise to backport this for 5.x releases as well, as that is what is used be Probot |
|
🎉 This PR is included in version 6.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
I don't think that's necessary, provenance is not that important, and hopefully, we'll be able to update Probot soon. |
wolfy1339
pushed a commit
that referenced
this pull request
Apr 5, 2024
This was referenced May 22, 2024
This was referenced Sep 20, 2024
Graysonbarton
added a commit
to Graybar-codespace/Satoshi
that referenced
this pull request
May 1, 2025
 <h3>Snyk has created this PR to upgrade @octokit/core from 4.2.4 to 6.1.4.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/>⚠️ **Warning:** This PR contains major version upgrade(s), and may be a breaking change. - The recommended version is **24 versions** ahead of your current version. - The recommended version was released **a month ago**. #### Issues fixed by the recommended upgrade: | | Issue | Score | Exploit Maturity | :-------------------------:|:-------------------------|:-------------------------|:-------------------------  | Regular Expression Denial of Service (ReDoS)<br/>[SNYK-JS-OCTOKITREQUEST-8730853](https://snyk.io/vuln/SNYK-JS-OCTOKITREQUEST-8730853) | **67** | Proof of Concept  | Regular Expression Denial of Service (ReDoS)<br/>[SNYK-JS-OCTOKITREQUESTERROR-8730854](https://snyk.io/vuln/SNYK-JS-OCTOKITREQUESTERROR-8730854) | **67** | Proof of Concept <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>@octokit/core</b></summary> <ul> <li> <b>6.1.4</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.1.4">2025-02-13</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v6.1.3...v6.1.4">6.1.4</a> (2025-02-13)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump Octokit dependencies vulnerable to ReDos (<a href="https://redirect.github.com/octokit/core.js/issues/723" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/723/hovercard">ietf-tools#723</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/582d8bd744e7ab2e563c06c1e740defec7cd2cc4">582d8bd</a>)</li> </ul> </li> <li> <b>6.1.3</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.1.3">2025-01-03</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v6.1.2...v6.1.3">6.1.3</a> (2025-01-03)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump Octokit dependencies to fix Deno compat (<a href="https://redirect.github.com/octokit/core.js/issues/715" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/715/hovercard">ietf-tools#715</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/e2b21bbf929d2317e2bbe96a01cbdfb07c138a46">e2b21bb</a>)</li> </ul> </li> <li> <b>6.1.2</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.1.2">2024-04-09</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v6.1.1...v6.1.2">6.1.2</a> (2024-04-09)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>pkg:</strong> add <code>default</code> fallback and <code>types</code> export (<a href="https://redirect.github.com/octokit/core.js/issues/673" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/673/hovercard">ietf-tools#673</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/af3d390db448eb266642a0dab79b84a5df4d4836">af3d390</a>), closes <a href="https://redirect.github.com/octokit/core.js/issues/665" data-hovercard-type="issue" data-hovercard-url="/octokit/core.js/issues/665/hovercard">ietf-tools#665</a> <a href="https://redirect.github.com/octokit/core.js/issues/667" data-hovercard-type="issue" data-hovercard-url="/octokit/core.js/issues/667/hovercard">ietf-tools#667</a></li> </ul> </li> <li> <b>6.1.1</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.1.1">2024-04-03</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v6.1.0...v6.1.1">6.1.1</a> (2024-04-03)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> update dependency @ octokit/types to v13 (<a href="https://redirect.github.com/octokit/core.js/commit/ade2813c6eb4b9b8aa85d4cf33d9dc07d25d3ffe">ade2813</a>)</li> </ul> </li> <li> <b>6.1.0</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.1.0">2024-04-03</a></br><h1><a href="https://redirect.github.com/octokit/core.js/compare/v6.0.1...v6.1.0">6.1.0</a> (2024-04-03)</h1> <h3>Features</h3> <ul> <li><strong>security:</strong> Add provenance (<a href="https://redirect.github.com/octokit/core.js/issues/671" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/671/hovercard">ietf-tools#671</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/1c2bd2582a3b2a78d7923b89723718d053618928">1c2bd25</a>)</li> </ul> </li> <li> <b>6.0.1</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.0.1">2024-02-26</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v6.0.0...v6.0.1">6.0.1</a> (2024-02-26)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>pkg:</strong> add main entry point (<a href="https://redirect.github.com/octokit/core.js/issues/662" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/662/hovercard">ietf-tools#662</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/42148fc96ee489c5ebeb0fb30bac62e1fa3daaf7">42148fc</a>)</li> </ul> </li> <li> <b>6.0.0</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.0.0">2024-02-25</a></br><h1><a href="https://redirect.github.com/octokit/core.js/compare/v5.1.0...v6.0.0">6.0.0</a> (2024-02-25)</h1> <h3>Features</h3> <ul> <li>package is now ESM (<a href="https://redirect.github.com/octokit/core.js/issues/661" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/661/hovercard">ietf-tools#661</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/77f8a61107a582ccb0a0305510409a4a8cceff29">77f8a61</a>)</li> </ul> <h3>BREAKING CHANGES</h3> <ul> <li>package is now ESM</li> <li>You can no longer use the <code>@ octokit/core/dist-types/types.d</code> import, instead migrate to <code>@ octokit/core/types</code></li> </ul> </li> <li> <b>6.0.0-beta.5</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v6.0.0-beta.5">2024-02-25</a></br><h1><a href="https://redirect.github.com/octokit/core.js/compare/v6.0.0-beta.4...v6.0.0-beta.5">6.0.0-beta.5</a> (2024-02-25)</h1> <h3>Bug Fixes</h3> <ul> <li>empty commit to trigger release (<a href="https://redirect.github.com/octokit/core.js/commit/4ce6c6390f9642d994fbeda9a30a4f0458e88b44">4ce6c63</a>)</li> </ul> </li> <li> <b>6.0.0-beta.4</b> - 2024-02-25 </li> <li> <b>6.0.0-beta.3</b> - 2024-02-25 </li> <li> <b>6.0.0-beta.2</b> - 2024-02-25 </li> <li> <b>6.0.0-beta.1</b> - 2024-02-24 </li> <li> <b>5.2.1</b> - 2025-03-18 </li> <li> <b>5.2.0</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v5.2.0">2024-04-05</a></br><h1><a href="https://redirect.github.com/octokit/core.js/compare/v5.1.1...v5.2.0">5.2.0</a> (2024-04-05)</h1> <h3>Features</h3> <ul> <li><strong>security:</strong> Add provenance (<a href="https://redirect.github.com/octokit/core.js/issues/671" data-hovercard-type="pull_request" data-hovercard-url="/octokit/core.js/pull/671/hovercard">ietf-tools#671</a>) (<a href="https://redirect.github.com/octokit/core.js/commit/0e2915bab4d6919966c4c3efdf88e6c99fc7b2b3">0e2915b</a>)</li> </ul> </li> <li> <b>5.1.1</b> - <a href="https://redirect.github.com/octokit/core.js/releases/tag/v5.1.1">2024-04-05</a></br><h2><a href="https://redirect.github.com/octokit/core.js/compare/v5.1.0...v5.1.1">5.1.1</a> (2024-04-05)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> upgrade <code>@ octokit/types</code> to v13 (<a href="https://redirect.github.com/octokit/core.js/commit/260e3606963fd69f625dc6bec04371204b7cc086">260e360</a>)</li> </ul> </li> <li> <b>5.1.0</b> - 2024-01-20 </li> <li> <b>5.0.2</b> - 2023-11-22 </li> <li> <b>5.0.1</b> - 2023-09-23 </li> <li> <b>5.0.0</b> - 2023-07-10 </li> <li> <b>5.0.0-beta.5</b> - 2023-07-07 </li> <li> <b>5.0.0-beta.4</b> - 2023-06-18 </li> <li> <b>5.0.0-beta.3</b> - 2023-06-16 </li> <li> <b>5.0.0-beta.2</b> - 2023-06-03 </li> <li> <b>5.0.0-beta.1</b> - 2023-05-21 </li> <li> <b>4.2.4</b> - 2023-06-16 </li> </ul> from <a href="https://redirect.github.com/octokit/core.js/releases">@octokit/core GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - **Warning:** This PR contains a major version upgrade, and may be a breaking change. > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. > - Max score is 1000. Note that the real score may have changed since the PR was raised. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJlOWUzY2Y1NS03MDlhLTQ1MTktOWViZC1mNWU1MDQ2YTc1ZDUiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImU5ZTNjZjU1LTcwOWEtNDUxOS05ZWJkLWY1ZTUwNDZhNzVkNSJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/graysonbarton/project/467b4331-8389-4cb6-9061-a7a1b78f3b62?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/graysonbarton/project/467b4331-8389-4cb6-9061-a7a1b78f3b62/settings/integration?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/graysonbarton/project/467b4331-8389-4cb6-9061-a7a1b78f3b62/settings/integration?pkg=@octokit/core&utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"@octokit/core","from":"4.2.4","to":"6.1.4"}],"env":"prod","hasFixes":true,"isBreakingChange":true,"isMajorUpgrade":true,"issuesToFix":["SNYK-JS-OCTOKITREQUEST-8730853","SNYK-JS-OCTOKITREQUESTERROR-8730854"],"prId":"e9e3cf55-709a-4519-9ebd-f5e5046a75d5","prPublicId":"e9e3cf55-709a-4519-9ebd-f5e5046a75d5","packageManager":"npm","priorityScoreList":[67,67],"projectPublicId":"467b4331-8389-4cb6-9061-a7a1b78f3b62","projectUrl":"https://app.snyk.io/org/graysonbarton/project/467b4331-8389-4cb6-9061-a7a1b78f3b62?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-OCTOKITREQUEST-8730853","SNYK-JS-OCTOKITREQUESTERROR-8730854"],"upgradeInfo":{"versionsDiff":24,"publishedDate":"2025-02-13T19:10:18.168Z"},"vulns":["SNYK-JS-OCTOKITREQUEST-8730853","SNYK-JS-OCTOKITREQUESTERROR-8730854"]}' ## Summary by Sourcery Upgrade @octokit/core from 4.2.4 to 6.1.4 to address security vulnerabilities and incorporate new features and bug fixes. New Features: - Adds security provenance. Bug Fixes: - Fixes Regular Expression Denial of Service (ReDoS) vulnerabilities. - Fixes Deno compatibility issues. - Adds a default fallback and types export.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This help increase trust in the builds on NPM by showing they were indeed generated from the same source code as this repository contains.