chore(core): upgrade @octokit deps to fix CVE-2025-25288 (paginate-rest ReDoS)#2524
Open
attehuhtakangas wants to merge 2 commits intointuit:mainfrom
Open
chore(core): upgrade @octokit deps to fix CVE-2025-25288 (paginate-rest ReDoS)#2524attehuhtakangas wants to merge 2 commits intointuit:mainfrom
attehuhtakangas wants to merge 2 commits intointuit:mainfrom
Conversation
Bump @octokit/rest, core, and plugins to versions that ship a patched @octokit/plugin-paginate-rest (>= 9.2.2 / >= 11.4.1), resolving the ReDoS advisory GHSA-h5c3-5r3r-rr8q (CVE-2025-25288, moderate). Target stack (CJS-compatible, stays off the v21+ ESM-only line): - @octokit/rest: ^18.12.0 -> ^20.1.2 - @octokit/core: ^3.5.1 -> ^5.2.2 - @octokit/plugin-throttling: ^3.6.2 -> ^8.2.0 - @octokit/plugin-retry: ^3.0.9 -> ^6.1.0 - @octokit/plugin-enterprise-compatibility: 1.3.0 -> ^4.1.0 This resolves @octokit/plugin-paginate-rest to 11.4.4-cjs.2, which is the CJS back-port on the fixed 11.4.x line and is no longer flagged by Socket. Code adjustments: - @octokit/plugin-throttling v4 renamed `onAbuseLimit` to `onSecondaryRateLimit`; v8 moved `retryCount` out of the options object into a 4th argument. Update the handler shapes in `packages/core/src/git.ts`. - @octokit/core v4 removed the `previews` option; drop `symmetra-preview` (GA since 2019 and no longer emits a header). - GitHub's REST search endpoints now require `advanced_search=\"true\"` (string) rather than boolean `true`. Update `searchRepo` and its test. Test/build environment: - The new octokit majors require Node >= 18, so bump CI to Node 20 and `pkg-fetch` binary targets to node18. - Bump TypeScript to ~4.9.5 so the new `.d.ts` syntax in octokit packages parses. Enable `skipLibCheck` and `useUnknownInCatchVariables: false` to keep the rest of the codebase compiling unchanged. - Lock `@types/node` to ^18.19.0 (and via a resolution) so lib types match the runtime. - Pin `@types/readable-stream` to ^4 so it stays compatible with the new @types/node shipped globals. - Bump `actions/checkout` and `actions/cache` to v4; `actions/setup-node` to v4. Current v3 pins were producing workflow warnings. Pre-existing tests and lint errors unchanged vs main: 790 passing, 60 failing, 3 lint errors — all identical to the baseline on upstream main. Refs: GHSA-h5c3-5r3r-rr8q See also: intuit#2459 (prior attempt at the same upgrade) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`@endemolshinegroup/cosmiconfig-typescript-loader@3.0.2` (last published
2020) calls `ts.resolveTypeReferenceDirectives` with a signature that
TypeScript removed in 4.7. With the TypeScript bump in this branch the
CLI crashes at runtime the moment cosmiconfig tries to load
`auto.config.ts` during `yarn bundle`:
TypeScriptCompileError: Failed to compile TypeScript: Debug Failure.
False expression: Non-string value passed to
`ts.resolveTypeReferenceDirective`, likely by a wrapping package
working with an outdated `resolveTypeReferenceDirectives` signature.
Swap in the maintained fork `cosmiconfig-typescript-loader@^4.4.0`,
which is CJS, still targets `cosmiconfig@7` (the version auto pins),
and works against modern TypeScript. The v4 API exposes the loader as
a factory (`TypeScriptLoader()`), so update the single call-site in
`packages/core/src/config.ts`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
@octokit/rest+ related plugins to versions that ship a patched@octokit/plugin-paginate-rest, fixing GHSA-h5c3-5r3r-rr8q / CVE-2025-25288 (ReDoS, moderate). The old v18 line of@octokit/resttransitively pins@octokit/plugin-paginate-rest@2.x, which is inside the vulnerable range< 9.2.2.Socket and other SCA scanners flag this on any project that pulls in
@auto-it/core, so fixing it upstream helps every consumer.Target stack
CJS-compatible — stays off the
@octokit/rest@21+ESM-only line to avoid an ESM migration of the whole monorepo:@octokit/rest^18.12.0^20.1.2@octokit/core^3.5.1^5.2.2@octokit/plugin-throttling^3.6.2^8.2.0@octokit/plugin-retry^3.0.9^6.1.0@octokit/plugin-enterprise-compatibility1.3.0^4.1.0Resolved
@octokit/plugin-paginate-restis11.4.4-cjs.2— the CJS back-port on the fixed 11.4.x line, no longer flagged.Code changes
packages/core/src/git.tsplugin-throttlingv4 renamedonAbuseLimit→onSecondaryRateLimit; v8 movedretryCountout of the options object into a 4th handler argument.@octokit/corev4 removed thepreviewsoption — droppedsymmetra-preview(GA since 2019, header no longer needed).advanced_search: \"true\"(string) rather than booleantrue; test updated.@types/node:child.pidnarrowing inverify-auth.ts,Object.entriescast inutils/omit.ts, explicit.toString()onexecSyncoutput inplugins/exec, tighter regex/reduce types inplugins/released,agentcast at threenode-fetchcall sites (HttpsProxyAgent shape vs. the newhttp.Agent).Test / build environment
node >= 18. CI bumped to Node 20 (LTS) andpkg-fetchbinaries tonode18.~4.9.5so theimport { type X }syntax in the new octokit.d.tsparses. AddedskipLibCheck: trueanduseUnknownInCatchVariables: falseto the roottsconfigso the rest of the monorepo keeps compiling without touching catch blocks across the codebase.@types/nodehoisted to^18.19.0(direct dep + resolution),@types/readable-streampinned to^4via resolution so it matches the new node globals.actions/checkout/actions/cachebumped tov4,actions/setup-nodetov4. The oldv3pins were one likely reason some dependabot/related PRs wouldn't go green.Test status
Locally, on Node 22 / yarn 1:
yarn build✅yarn lint— 3 errors, identical tomain(pre-existing unused-memoizeimports).yarn test— 790 passing, 60 failing. Identical failure set tomain; all remaining failures are pre-existing (the prebuiltpkgbinary not being present locally,strip-ansi@7ESM vs. ts-jest@26, and a handful of tests that require a realGITHUB_TOKEN). No new regressions introduced by this change.Change Type
documentationpatchminormajorIt's arguably a
majorbecause the Node engine requirement effectively moves from 14 to 18 and some octokit-plugin option names change, but the surface of@auto-it/coreis unchanged. Happy to relabel if you prefer.Notes
@octokit/rest@19because that major still shipsplugin-paginate-rest@6.x— also inside the CVE's vulnerable range — so it wouldn't fix the advisory.@auto-it/coreor any plugin.🤖 Generated with Claude Code