chore: upgrade octokit dependencies#2459
Conversation
|
Update: I seem to have finally found a combination of the Unfortunately I still have to add a
|
|
Would love to see this get in! |
|
@restfulhead I would be great to merge this in :) Hope the related PR helped a bit, but still seems some tests are failing. |
|
@restfulhead please rebase your branch on main and the failing tests should turn green. Is there anything else missing to get this merged? Have a great day. |
The main goal here is to upgrade `@octokit/plugin-throttling` to `5`, so that the secondary rate limit wait time is increased, wich hopefully fixes intuit#2458. This required other dependencies to be upgraded. The `resolutions` for `@octokit/plugin-rest-endpoint-methods` is necessary, because without it it pulls in `10.0.0` of `@octokit/types` which isn't compatible with the other libraries.
Finally found a combination of @octokit versions that all use @octokit/types 9.x
|
@LittleGreenYoda42 @dpotyralski Thanks, the rebase is done and the test build is now green. 🙌
In general, it would probably be a good idea for someone else to manually test this change. Also note that I haven't tested any plugins and I'm not sure how isolated they are from the dependency changes here. I checked |
Thanks @restfulhead for your input. I'm not sure if we are in a position to decide about the version here. Maybe @hipstersmoothie could add his opinion? |
|
Btw, if anyone would like to help test, I've released a beta version here: https://www.npmjs.com/package/@restfulhead/auto |
|
We still experience rate limiting errors here and there that prevent our workflows from properly executing, having up to date rate limiting/throttling plugins for Octokit would fix that. What can we do to help this PR get merged ? |
|
@LittleGreenYoda42 it seems the only failures remaining come from your CI actions being outdated. NPM/PNPM are now throwing audit errors due to security vulnerabilities in your octokit dependency, making this PR rather urgent. Could you please have another look at it? |
Bump @octokit/rest, core, and plugins to versions that ship a patched @octokit/plugin-paginate-rest (>= 9.2.2 / >= 11.4.1), resolving the ReDoS advisory GHSA-h5c3-5r3r-rr8q (CVE-2025-25288, moderate). Target stack (CJS-compatible, stays off the v21+ ESM-only line): - @octokit/rest: ^18.12.0 -> ^20.1.2 - @octokit/core: ^3.5.1 -> ^5.2.2 - @octokit/plugin-throttling: ^3.6.2 -> ^8.2.0 - @octokit/plugin-retry: ^3.0.9 -> ^6.1.0 - @octokit/plugin-enterprise-compatibility: 1.3.0 -> ^4.1.0 This resolves @octokit/plugin-paginate-rest to 11.4.4-cjs.2, which is the CJS back-port on the fixed 11.4.x line and is no longer flagged by Socket. Code adjustments: - @octokit/plugin-throttling v4 renamed `onAbuseLimit` to `onSecondaryRateLimit`; v8 moved `retryCount` out of the options object into a 4th argument. Update the handler shapes in `packages/core/src/git.ts`. - @octokit/core v4 removed the `previews` option; drop `symmetra-preview` (GA since 2019 and no longer emits a header). - GitHub's REST search endpoints now require `advanced_search=\"true\"` (string) rather than boolean `true`. Update `searchRepo` and its test. Test/build environment: - The new octokit majors require Node >= 18, so bump CI to Node 20 and `pkg-fetch` binary targets to node18. - Bump TypeScript to ~4.9.5 so the new `.d.ts` syntax in octokit packages parses. Enable `skipLibCheck` and `useUnknownInCatchVariables: false` to keep the rest of the codebase compiling unchanged. - Lock `@types/node` to ^18.19.0 (and via a resolution) so lib types match the runtime. - Pin `@types/readable-stream` to ^4 so it stays compatible with the new @types/node shipped globals. - Bump `actions/checkout` and `actions/cache` to v4; `actions/setup-node` to v4. Current v3 pins were producing workflow warnings. Pre-existing tests and lint errors unchanged vs main: 790 passing, 60 failing, 3 lint errors — all identical to the baseline on upstream main. Refs: GHSA-h5c3-5r3r-rr8q See also: intuit#2459 (prior attempt at the same upgrade) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 participants
The main goal here is to upgrade
@octokit/plugin-throttlingto5, so that the secondary rate limit wait time is increased, wich hopefully fixes #2458.This required other dependencies to be upgraded. The
resolutionsfor@octokit/plugin-rest-endpoint-methodsis necessary, because without it, it pulls in10.0.0of@octokit/typeswhich isn't compatible with the other libraries.Change Type
Indicate the type of change your pull request is:
documentationpatchminormajor