Skip to content

fix(deps): update dependency @octokit/webhooks to v9 [security] #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @octokit/webhooks to v9 [security] #248

wants to merge 1 commit into from

Conversation

@renovate-sh-app
Copy link

@renovate-sh-app renovate-sh-app bot commented Oct 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@octokit/webhooks ^7.12.2 -> ^9.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

Maintenance release for the reference for octokit/webhooks.js in app.js

Maintenance release for the reference for octokit/webhooks.js in octokit.js

Maintenance release for the reference for octokit/webhooks.js in Protobot

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Unauthenticated Denial of Service in the octokit/webhooks library

CVE-2023-50728 / GHSA-pwfr-8pq7-x9qv

More information

Details

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

Maintenance release for the reference for octokit/webhooks.js in app.js

Maintenance release for the reference for octokit/webhooks.js in octokit.js

Maintenance release for the reference for octokit/webhooks.js in Protobot

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

octokit/webhooks.js (@​octokit/webhooks)

v9.26.3

Compare Source

Bug Fixes
  • try to release with previously used semantic-release version (a674dd6)

v9.26.2

Compare Source

Bug Fixes

v9.26.1

Compare Source

Bug Fixes

v9.26.0

Compare Source

Features

v9.25.0

Compare Source

Features

v9.24.0

Compare Source

Features

v9.23.0

Compare Source

Features
  • types: new repository_vulnerability_alert.reopen event, remove workflow_job.started event, and many other type updates for events via @octokit/webhooks-types to v5.5.1 (#​674) (f147fa3)

v9.22.0

Compare Source

Features
  • types: updates to deployment and deployment_status events, new deployment property for check_run event (#​662) (ebf8f49)

v9.21.0

Compare Source

Features
  • types: new changes.base property on pull_request#edited, new merged_at property on issues common schema, new rerequestable property on check_suite#completed, new log_url property on deployment#created, remove content_reference event (#​660) (9fdd549)

v9.20.0

Compare Source

Features

v9.19.0

Compare Source

Features

v9.18.0

Compare Source

Features
  • types: description updates for the workflow_run event (#​657) (bad7bf7)

v9.17.0

Compare Source

Features

v9.16.0

Compare Source

Features
  • types: add missing event workflow_job.in_progress, description updates for push event payload properties (#​647) (07279dc)

v9.15.1

Compare Source

Bug Fixes
  • types: add ability to remove onAny listeners again (#​645) (2b00d86)

v9.15.0

Compare Source

Features

v9.14.2

Compare Source

Bug Fixes
  • types: allow non-truthy values in generated output (#​632) (c51e5ee)

v9.14.1

Compare Source

Bug Fixes

v9.14.0

Compare Source

Features

v9.13.0

Compare Source

Features

v9.12.0

Compare Source

Features

v9.11.0

Compare Source

Features
  • types: updates to Installation and Commit common interfaces, updates to MemberAdded, RepositoryVulnerabilityAlertResolve, RepositoryEdited events (#​607) (406fd8f)

v9.10.0

Compare Source

Features
  • typescript: export the EmitterWebhookEventName type (#​604) (b09d164)

v9.9.0

Compare Source

Features
  • types: new labeled & unlabeled actions for DiscussionEvent, Discussion#state can be converting, active_lock_reason can be null in DiscussionLockedEvent, LabelEditedEvent#changes now contains a description object (#​603) (68861f4)

v9.8.4

Compare Source

Bug Fixes
  • types: add new properties for the Container registry to PackageEvent (#​596) (984f3f5)

v9.8.3

Compare Source

Bug Fixes
  • remove all whitespace when stringifying a webhook event payload object to a JSON string for verifycation (#​595) (3e0f2a0)

v9.8.2

Compare Source

Bug Fixes
  • types: add changes object for IssuesTransferredEvent and for IssuesOpenedEvent when the issue is transferred (#​592) (7d6a81d), closes #​590 #​591

v9.8.1

Compare Source

Bug Fixes

v9.8.0

Compare Source

Features
  • octokit.verifyAndReceive() accepts raw string payload (#​586) (435344b)

v9.7.0

Compare Source

Features
  • update {App, Installation}#permissions with additional permissions, add changes property to RepositoryRenamedEvent, ReleaseAsset#label can be null, Installation#suspended_{at, by} are always present, fix WorkflowRun#pull_requests is not PullRequest[] but a simpler type (01891fc)

v9.6.3

Compare Source

Bug Fixes
  • typescript: issue_comment event description update (#​573) (da05374)

v9.6.2

Compare Source

Bug Fixes

v9.6.1

Compare Source

Bug Fixes
  • types: PullRequest#body can be of type string or null, Release#{body, name} are only of type string (#​566) (7643a67)

v9.6.0

Compare Source

Features
  • types: fix workflow_run#conclusion is not always null, add new app_id to MarketplacePurchase#account, add requester to installation_repositories.removed, add enums for various properties (#​565) (9eef640)

v9.5.1

Compare Source

Bug Fixes

v9.5.0

Compare Source

Features
  • types: new withdrawn action for security_advisory event (#​560) (610d82b)

v9.4.0

Compare Source

Features
  • types: requester in InstallationRepositoriesAddedEvent can be null and is now set as required, closed_at in IssueCommentEvent isn't always null (#​558) (fcafa8d)

v9.3.0

Compare Source

Features
  • types: add missing permissions in Installation#removed, add null to various properties, list all events instead of string[] in Installation#events, add string to PushEvent#base_ref (#​557) (47211c7)

v9.2.0

Compare Source

Features
  • types: add new changes property to ProjectColumnEditedEvent and make ProjectCard#content_url optional (#​550) (d4f9b4b)

v9.1.2

Compare Source

Bug Fixes
  • types: update properties in PullRequestReviewCommentEvent and WorkflowRunDispatchEvent (#​547) (6f317c4)

v9.1.1

Compare Source

Bug Fixes

v9.1.0

Compare Source

Features
  • update package to use new packages split from @octokit/webhooks-defintions (#​539) (698e793)

v9.0.1

Compare Source

Bug Fixes
  • middleware: pass on to the next middleware in case of express (#​534) (07f19fe)

v9.0.0

Compare Source

BREAKING CHANGES

  • createWebhooksApi() has been removed. Use new Webhooks() instead

  • webhooks.middleware has been removed. Use createNodeMiddleware() instead

  • createMiddleware has been removed. Use createNodeMiddleware() instead

  • deprecated path option for Webhooks constructor has been removed. Use createNodeMiddleware(webhooks, { path }) instead

  • all usage of debug has been removed. Use the log option instead

  • webhooks.sign now default to sha256 algorithm. In order to continue to use sha1, replace

    webhooks.sign(secret, payload)

    with

    webhooks.sign({ secret, algorith: "sha1" }, payload)

  • webhooks.sign() and webhooks.verify() are now asynchronous

  • static sign and verify methods are no longer exported. Use @octokit/webhooks-methods package instead

v8.12.3

Compare Source

Bug Fixes
  • correct spelling error in DiscussionTransferredEvent event name (#​532) (5bd1901)

v8.12.2

Compare Source

Bug Fixes
  • typescript: username property on Committer can be not present #​530) (720f92b)

v8.12.1

Compare Source

Bug Fixes
  • typescript: add some missing properties to event payloads (#​529) (3072c79)

v8.12.0

Compare Source

Features
  • typescript: add new is_one_time and is_custom_ammount to SponsorshipTier (e75d17a)

v8.11.2

Compare Source

Bug Fixes
  • types: allow IncomingMessage to have bodies of other types (#​524) (01c38e8)

v8.11.1

Compare Source

Bug Fixes
  • use options.onUnhandledRequest in createNodeMiddleware(webhooks, options) (#​519) (69c39f0)

v8.11.0

Compare Source

Features
  • typescript: add new DiscussionEvent and DiscussionCommentEvent types, fix types for Installation#requester to be User and not null (#​523) (995b48d)

v8.10.1

Compare Source

Bug Fixes
  • typescript: remove description from objects in order to stop duplication (#​517) (5121039)

v8.10.0

Compare Source

Features
  • typescript: compile-time error when missing secret option (#​461) (deefd69)

v8.9.0

Compare Source

Features

v8.8.3

Compare Source

Bug Fixes
  • remove null override on IssueCommentEditedEvent#issue.closed_at (#​516) (8fef083)

v8.8.2

Compare Source

Bug Fixes

v8.8.1

Compare Source

Bug Fixes
  • typescript: default TTransformed in Webhooks type parameter to unknown (#​514) (21f21b0)

v8.8.0

Compare Source

Features

v8.7.2

Compare Source

Bug Fixes
  • typescript: improve type of WorkflowRun#conclusion property (#​506) (f5f55b6)

v8.7.1

Compare Source

Bug Fixes
  • typescript: update URL in the descriptions for RepositoryVulnerabilityAlertEvent and SecurityAdvisoryEvent (#​505) (b2be1a1)

v8.7.0

Compare Source

Features
  • typescript: add descriptions to webhooks payload interface properties (#​503) (7bf22c9)

v8.6.2

Compare Source

Bug Fixes
  • typescript: add check_suite_id property to WorkflowRun interface & remove sender property from SecretScanningAlertCreatedEvent (#​501) (dec3f63)

v8.6.1

Compare Source

Bug Fixes
  • typescript: add auto_merge property to PullRequest and add email permission to App (#​500) (6ba0ae9)

v8.6.0

Compare Source

Features
  • typescript: add description for {CreateEvent, DeleteEvent}#pusher_type property (#​499) (2dfe3a9)

v8.5.4

Compare Source

Bug Fixes

v8.5.3

Compare Source

Bug Fixes
  • deps: explicitly specify that TS 4.1 is required (#​485) (b5fdf2a)

v8.5.2

Compare Source

Bug Fixes

v8.5.1

Compare Source

Bug Fixes
  • types: update WorkflowRun#pull_request with the PullRequest interface instead of unknown (2b7490f)

v8.5.0

Compare Source

Features
  • typescript: new deployment object for CheckRunEvent; cleanup properties in issue and pull_request events; fix GitHubOrg interface values (#​478) (639896f)

v8.4.1

Compare Source

Bug Fixes
  • typescript: compile-time invalid argument errors (#​465) (ceacf57)

v8.4.0

Compare Source

Features

v8.3.0

Compare Source

Features
  • typescript: update CodeScanningAlert#{AppearedInBranch,Created,Fixed,Reopened} types to include a sender field defaulted to GitHub (#​450) (6106784)

v8.2.0

Compare Source

Features

v8.1.1

Compare Source

Bug Fixes

v8.1.0

Compare Source

Features

v8.0.3

Compare Source

Bug Fixes
  • typescript: infer TTransformed from createEventHandler() options (#​459) (d2a0b73)

v8.0.2

Compare Source

First stable 8.x release, see release notes for v8.0.0

Bug Fixes

v8.0.1

Compare Source

Bug Fixes
  • throw an error if * or error events are passed to #on (560ff73)

v8.0.0

Compare Source

BREAKING CHANGES
  • payload types have been renamed and refactored
  • passing * as an event name is no longer supported
  • passing error as an event name is no longer supported
Features
  • make @octokit/webhooks-definitions a dependency (c4ed3d8)
  • refactor types (8e81a5a)
  • remove deprecated payload types (ca8c6f1)
  • remove deprecated properties from error types (bae6624)
  • remove support for * event (4b20ca7)
  • remove support for error event (b2d5c70)
Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
fix(deps): update dependency @octokit/webhooks to v9 [security]
5463046 
| datasource | package           | from   | to     |
| ---------- | ----------------- | ------ | ------ |
| npm        | @octokit/webhooks | 7.24.3 | 9.26.3 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner October 17, 2025 10:37
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) October 17, 2025 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automerge-security-update severity:HIGH

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants