Skip to content

Update dependency probot to v12 [SECURITY]#13

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-probot-vulnerability
Open

Update dependency probot to v12 [SECURITY]#13
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-probot-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
probot (source) ^11.0.1^12.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

Maintenance release for the reference for octokit/webhooks.js in app.js

Maintenance release for the reference for octokit/webhooks.js in octokit.js

Maintenance release for the reference for octokit/webhooks.js in Protobot

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Release Notes

probot/probot (probot)

v12.3.3

Compare Source

Bug Fixes

v12.3.2

Compare Source

Bug Fixes

v12.3.1

Compare Source

Bug Fixes

v12.3.0

Compare Source

Features

v12.2.9

Compare Source

Bug Fixes

v12.2.8

Compare Source

Bug Fixes

v12.2.7

Compare Source

Bug Fixes

v12.2.6

Compare Source

Bug Fixes

v12.2.5

Compare Source

Bug Fixes

v12.2.4

Compare Source

Bug Fixes

v12.2.3

Compare Source

Bug Fixes
  • deps: bump eventsource from 1.1.0 to 2.0.2 (7fd06d6)

v12.2.2

Compare Source

Bug Fixes

v12.2.1

Compare Source

Bug Fixes

v12.2.0

Compare Source

Features
  • customize account name for manifest creation flow using GH_ORG environment variable (#​1606) (992b480)

v12.1.4

Compare Source

Bug Fixes

v12.1.3

Compare Source

Bug Fixes

v12.1.2

Compare Source

Bug Fixes
  • typescript: add types for context.{repo,issue,pullRequest} (#​1622) (638a3b2)

v12.1.1

Compare Source

Bug Fixes

v12.1.0

Compare Source

Features

v12.0.0

Compare Source

Features
BREAKING CHANGES
  • remove '*' event
  • app.webhooks.middleware has been removed in @octokit/webhooks v9
  • removes the webhookPath option on new Probot({}) for the webhooks middleware

v11.4.1

Compare Source

Bug Fixes
  • support setting baseUrl on Octokit constructor instead of Probot constructor (#​1552) (453ddd2)

v11.4.0

Compare Source

Features

v11.3.2

Compare Source

Bug Fixes

v11.3.1

Compare Source

Bug Fixes
  • setup: do not enter setup mode if HOST environment variable is set (#​1538) (4d70d69)

v11.3.0

Compare Source

Features

v11.2.4

Compare Source

Bug Fixes

v11.2.3

Compare Source

Bug Fixes

v11.2.2

Compare Source

Bug Fixes
  • add workaround for "appId option is required" when in setup mode (#​1513) (e11b91e)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from d29c7fb to ed61d3b Compare August 14, 2025 16:14
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from ed61d3b to e5a7d2f Compare September 1, 2025 14:42
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from e5a7d2f to 1611076 Compare September 26, 2025 07:26
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from 1611076 to 0d72435 Compare October 25, 2025 20:09
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch 2 times, most recently from 6937135 to bf8ae5f Compare November 19, 2025 04:13
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from bf8ae5f to d219451 Compare December 5, 2025 11:10
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from d219451 to 97e6076 Compare January 1, 2026 03:40
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from 97e6076 to 9d85c27 Compare January 8, 2026 16:13
@renovate renovate bot force-pushed the renovate/npm-probot-vulnerability branch from 9d85c27 to d7a5efc Compare January 19, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants