Update dependency probot to v12 [SECURITY] by renovate[bot] · Pull Request #160 · toolmantim/boomper

renovate · 2023-12-16T01:47:52Z

This PR contains the following updates:

Package	Change	Age	Confidence
probot (source)	`10.8.0` → `12.3.3`

Unauthenticated Denial of Service in the octokit/webhooks library

CVE-2023-50728 / GHSA-pwfr-8pq7-x9qv

More information

Details

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

v12 - v12.0.4
v11 - v11.1.2
v10 -v10.9.2
v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Severity

CVSS Score: 8.2 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

probot/probot (probot)

`v12.3.3`

Compare Source

Bug Fixes

deps: @octokit/webhooks security update (#1911) (02d81f8)

`v12.3.2`

Compare Source

Bug Fixes

Fix async main function type (#1672) (fc6886d)

`v12.3.1`

Compare Source

Bug Fixes

typescript: simplify ProbotWebhooks object (#1833) (7b09369)

`v12.3.0`

Compare Source

Features

server: add logging options (#1645) (6c5840d)

`v12.2.9`

Compare Source

Bug Fixes

typescript: add missing import (#1783) (229a01c)

`v12.2.8`

Compare Source

Bug Fixes

Make probot receive support complex Probot apps (#1714) (eff5553)

`v12.2.7`

Compare Source

Bug Fixes

receive: --base-url option and GHE_HOST (#1719) (68c9b91)

`v12.2.6`

Compare Source

Bug Fixes

deps: upgrade octokit/types to v7.1.1 (#1724) (be45120)

Bug Fixes

logging of first octokit instance is not set (#1676) - thanks @kammerjaeger @markjm (646b6a9)

`v12.2.3`

Compare Source

Bug Fixes

deps: bump eventsource from 1.1.0 to 2.0.2 (7fd06d6)

`v12.2.2`

Compare Source

Bug Fixes

Replaced hbs with express-handlebars (#1659) (420f886)

`v12.2.1`

Compare Source

Bug Fixes

security: bump minimal version of hbs (#1638) (dd9f5ae)

`v12.2.0`

Compare Source

Features

customize account name for manifest creation flow using GH_ORG environment variable (#1606) (992b480)

`v12.1.4`

Compare Source

Bug Fixes

types: export ApplicationFunction (#1631) (073f087)

`v12.1.3`

Compare Source

Bug Fixes

log json in production (#1598) (bb068d9)

`v12.1.2`

Compare Source

Bug Fixes

typescript: add types for context.{repo,issue,pullRequest} (#1622) (638a3b2)

`v12.1.1`

Compare Source

Bug Fixes

update ioredis to non-vulnerable version (#1589) (f02c549)

`v12.1.0`

Compare Source

Features

website: 11ty 🚀 (#1516) (7a43e9e)

`v12.0.0`

Compare Source

Features

update @octokit/webhooks to v9 (#1559) (4b3ae0e)

BREAKING CHANGES

remove '*' event
app.webhooks.middleware has been removed in @octokit/webhooks v9
removes the webhookPath option on new Probot({}) for the webhooks middleware

`v11.4.1`

Compare Source

Bug Fixes

support setting baseUrl on Octokit constructor instead of Probot constructor (#1552) (453ddd2)

`v11.4.0`

Compare Source

Features

logger: custom message key (#1546) (01c2006)

`v11.3.2`

Compare Source

Bug Fixes

skip smee setup by setting NO_SMEE_SETUP to "true" (#1544) (acd47a6)

`v11.3.1`

Compare Source

Bug Fixes

setup: do not enter setup mode if HOST environment variable is set (#1538) (4d70d69)

`v11.3.0`

Compare Source

Features

deprecate usage of the "*" event name (#1518) (474b773)

`v11.2.4`

Compare Source

Bug Fixes

run: await server.load() (#1517) (8cc1590)

`v11.2.3`

Compare Source

Bug Fixes

Update to Contributor Covenant v2 (#1515) (72b0531)

`v11.2.2`

Compare Source

Bug Fixes

add workaround for "appId option is required" when in setup mode (#1513) (e11b91e)

`v11.2.1`

Compare Source

Bug Fixes

bump @octokit/plugin-rest-endpoint-methods to v5 (#1511) (9342caf)

`v11.2.0`

Compare Source

Features

Add dark mode to builtin pages (#1509) (ce96884)

`v11.1.1`

Compare Source

Bug Fixes

update design of probot landing page (#1508) (0e37427)

`v11.1.0`

Compare Source

Features

add onAny and onError methods from @octokit/webhooks (#1480) (9a24f9d)

`v11.0.6`

Compare Source

Bug Fixes

deps: pin version of @octokit/webhooks (#1472) (cd14dd4)

`v11.0.5`

Compare Source

Bug Fixes

clarify error message in case of invalid app authentication (#1465) thanks @eXpire163 (5f1831b)

`v11.0.4`

Compare Source

Bug Fixes

TypeScript: fix description of context.pullRequest method (#1461) (a5779ff)

`v11.0.3`

Compare Source

Bug Fixes

correctly import (transpiled) app function for run and receive (#1457) thanks @ZauberNerd (2275698)

`v11.0.2`

Compare Source

Bug Fixes

typescript: remove options.webhookProxy from Probot constructor (#1459) (01bb678)

`v11.0.1`

Compare Source

Bug Fixes

import app functions transpiled from TypeScript (#1448) (3356845)

`v11.0.0`

Compare Source

BREAKING CHANGES

For a smooth upgrade, make sure to update to the latest Probot v10 version first (npm install probot@10), run your tests, and address all deprecation messages. Nearly all removed APIs have previously been deprecated.

deprecated context.octokit.* have been removed via @octokit/plugin-rest-endpoint-methods v4
probot.server property removed. Build your own server instead using import { Server } from "probot"
probot.load() is now asynchronous and no longer returns the instance
express-async-errors is no longer used.
Probot constructor parameter no longer supported in createNodeMiddleware(app, { Probot }). Pass a probot instance instead: createNodeMiddleware(app, { probot })
getOptions() has been removed. Use { probot: createProbot() } instead
probot.load(appFn) no longer accepts appFn to be a path string. Pass the actual function instead.

probot.setup() removed. Use the new Server class instead:

const { Server, Probot } = require("probot")
const server = new Server({
  // optional:
  host,
  port,
  webhookPath,
  webhookProxy,
  Probot: Probot.defaults({ id, privateKey, ... })
})

// load probot app function
await server.load((app) => {})

// start listening to requests
await server.start()
// stop server with: await server.stop()

If you have more than one app function, combine them in a function instead

const app1 = require("./app1")
const app2 = require("./app2")

module.exports = function app ({ probot, getRouter }) {
  await app1({ probot, getRouter })
  await app2({ probot, getRouter })
}

probot.start() / probot.stop() removed. Use the new Server class instead:

const { Server, Probot } = require("probot")
const server = new Server({
  Probot: Probot.defaults({ id, privateKey, ... })
  // optional:
  host,
  port,
  webhookPath,
  webhookProxy,
})

// load probot app function
await server.load((app) => {})

// start listening to requests
await server.start()
// stop server with: await server.stop()

REDIS_URL is ignored when using Probot constructor. Use new Probot({ redisConfig: redis://... }) instead
Probot constructor no longer reads environment variables. Pass options instead, or import { createProbot } from "probot" instead
Probot.run() has been removed. Use import { run} from "probot" instead
context.github has been removed. Use context.octokit instead
context.event has been removed. Use context.name instead
app.route() has been removed. Use the getRouter() argument from the app function instead: (app, { getRouter }) => { ... }
app.router has been removed. Use getRouter() from the app function instead: (app, { getRouter }) => { ... }
probot.logger has been removed. Use probot.log instead
new Probot({ id }) has been removed. Use new Probot({ appId }) instead
new Probot({ cert }) has been removed. Use new Probot({ privateKey }) instead
probot.webhook has been removed. Use probot.webhooks instead
createProbot(options) no longer supports any keys besides overrides, defaults, or env
options.throttleOptions has been removed. Set options.Octokit to ProbotOctokit.defaults({ throttle }) instead
import { Application } from probot has been removed. Use import { Probot } from probot instead, the APIs are the same

`v10.19.0`

Compare Source

Features

un-deprecate (app) => {}. Deprecate ({ app, getRouter }) => {} in favor of (app, { getRouter }) => {} (#1441) (42b043e), closes /github.com/probot/probot/issues/1286#issuecomment-744094299

`v10.18.0`

Compare Source

Features

createProbot() (#1431) (d315f0c)
new Probot({ appId }) (a94fdca)
Probot.version, Probot.defaults() (2ff5d21)
run(appFn, { env }) (3d90806)
createNodeMiddleware (bdbe94e)
use new Server class when using probot run binary (8a3599d)

Deprecations

probot.load() (3d4b363)
probot.start() / probot.stop() / probot.setup() (7a8f268)
Deprecates new Probot({ id }) (a94fdca)

Bug Fixes

`createProbot() without options (8c01e90)
load app function only once when using createNodeMiddleware (#1432) (60b702b)
server: log error requests as [METHOD] /[PATH] [STATUS] - [NUM]ms, e.g POST / 500 - 123ms (9d767e1)

`v10.17.3`

Compare Source

Bug Fixes

app.route() with (app) => {} app function (#1430) (d203219)

`v10.17.2`

Compare Source

Bug Fixes

remove GHE_HOST deprecation message when using probot run cli (#1423) (0ec5f23), closes #1422

`v10.17.1`

Compare Source

Bug Fixes

set default log level correctly to "info" (49153b8)

`v10.17.0`

Compare Source

Features

import { run } from "probot". Deprecates Probot.run() (f35b58a)
new Probot({ baseUrl }). Deprecates GHE_HOST / GHE_PROTOCOL when using with the Probot constructor (7abbef7)
new Probot({ logLevel }). Deprecates LOG_LEVEL when using Probot constructor (7c46218)
deprecate INSTALLATION_TOKEN_TTL (dfc59fc)
deprecate LOG_FORMAT, LOG_LEVEL_IN_STRING, SENTRY_DSN environment variables when using Probot constructor. Pass a custom log instance instead: (514c764)
deprecate REDIS_URL environment variable when using with the Probot constructor. Use new Probot({ redisConfig: "redis://..." }) instead (1dbd999)

`v10.16.0`

Compare Source

Features

use @probot/get-private-key (#1414) (47d9f3a), closes #1309

`v10.15.0`

Compare Source

Features

context.octokit. Deprecates context.github (#1413) (0527b98)

`v10.14.1`

Compare Source

Bug Fixes

deps: update @octokit/core to latest (#1412) (9351df4)

`v10.14.0`

Compare Source

Features

deprecate { Application } export. Use { Probot } instead, it has the same APIs now. (#1408) (0e52e05)

`v10.13.0`

Compare Source

Features

probot.on() / probot.receive() / probot.auth() (#1407) (1812cfe)

`v10.12.0`

Compare Source

Features

getRouter argument for app function (({ app, getRouter }) => {}) (#1406) (de3adc1)

`v10.11.0`

Compare Source

Features

(app) => {} is now ({ app }) => {} (#1405) (4bfae5a)

`v10.10.2`

Compare Source

Bug Fixes

stop using .webhooks.on("*", handler) in favor of `.webhooks.onAny(handler) (ab6fcb1)

`v10.10.1`

Compare Source

Bug Fixes

correct payload type by omitting context keys (#1389) (2b30518)

`v10.10.0`

Compare Source

Features

use octokit-auth-probot (#1392) (8ba3a8e)

`v10.9.5`

Compare Source

Bug Fixes

use webhooks.onError() instead of deprecated webhooks.on("error", ...) (#1390) (a5b36b3)

`v10.9.4`

Compare Source

Bug Fixes

typescript: TypeScript issues TS2305,TS2707,TS7006 (41ee70c), closes #1387

`v10.9.3`

Compare Source

Bug Fixes

types: set correct type for context passed to event handler (#1378) (05abeef), closes #r501871740

`v10.9.2`

Compare Source

Bug Fixes

typescript: adapt for latest @octokit/webhooks (#1374) (630d78e)

`v10.9.1`

Compare Source

Bug Fixes

do not overwrite options.throttle passed to {Octokit: ProbotOctokit.defaults(options)} (#1373) (9483546)

`v10.9.0`

Compare Source

Features

deprecate new Application({ throttleOptions }) (#1365) (f537204)

`v10.8.1`

Compare Source

Bug Fixes

use @probot/octokit-plugin-config for context.config (#1362) (a235671)

If you mocked http requests for configuration files, you will have to adapt them. Instead of returning a JSON response with a { content } object, where content is a base64 encoded version of your raw configuration, you can now return the content without encoding directly. Example

Before
```
nock("https://api.github.com")
  .get("/repos/wip/app/contents/.github%2Fwip.yml")
  .reply(200, {
    content: Buffer.from("terms: 🚧").toString("base64"),
  });
```
After
```
nock("https://api.github.com")
  .get("/repos/wip/app/contents/.github%2Fwip.yml")
  .reply(200, "terms: 🚧");
```

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 3208d04 to 05c2f8e Compare August 10, 2025 13:06

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 05c2f8e to 40b4de1 Compare August 31, 2025 11:03

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 40b4de1 to 7adef2f Compare September 25, 2025 14:54

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 7adef2f to 27dc70e Compare October 21, 2025 23:02

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 27dc70e to 3ff40cb Compare November 10, 2025 18:02

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 3ff40cb to df2707b Compare November 18, 2025 11:41

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from df2707b to 87185bb Compare December 3, 2025 18:02

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 87185bb to 639fc87 Compare December 31, 2025 14:36

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 639fc87 to 34a1f82 Compare January 8, 2026 20:33

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 34a1f82 to 43aa452 Compare January 19, 2026 19:28

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 43aa452 to 82e37b5 Compare February 12, 2026 15:33

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 82e37b5 to 9e754d3 Compare March 5, 2026 19:46

renovate Bot changed the title ~~Update dependency probot to v12 [SECURITY]~~ Update dependency probot to v12 [SECURITY] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-probot-vulnerability branch March 27, 2026 00:42

renovate Bot changed the title ~~Update dependency probot to v12 [SECURITY] - autoclosed~~ Update dependency probot to v12 [SECURITY] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch 2 times, most recently from 9e754d3 to 9562332 Compare March 30, 2026 22:29

Update dependency probot to v12 [SECURITY]

db16408

renovate Bot force-pushed the renovate/npm-probot-vulnerability branch from 9562332 to db16408 Compare April 8, 2026 15:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency probot to v12 [SECURITY]#160

Update dependency probot to v12 [SECURITY]#160
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-probot-vulnerability

renovate Bot commented Dec 16, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Dec 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Unauthenticated Denial of Service in the octokit/webhooks library

Details

Impact

Patches

Workarounds

Severity

References

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

BREAKING CHANGES

Bug Fixes

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

BREAKING CHANGES

Features

Features

Deprecations

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Features

Features

Bug Fixes

Features

Features

Features

Features

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Configuration

Uh oh!

Reviewers

Assignees

renovate Bot commented Dec 16, 2023 •

edited

Loading