Update dependency octokit to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
octokit	^2.0.0 → ^3.0.0
octokit	^2.0.4 → ^3.0.0

---

Unauthenticated Denial of Service in the octokit/webhooks library

CVE-2023-50728 / GHSA-pwfr-8pq7-x9qv

More information

Details

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

• v12 - v12.0.4
• v11 - v11.1.2
• v10 -v10.9.2
• v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

• v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

• v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

• v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

• https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv
• https://nvd.nist.gov/vuln/detail/CVE-2023-50728
• https://github.com/octokit/app.js/releases/tag/v14.0.2
• https://github.com/octokit/octokit.js/releases/tag/v3.1.2
• https://github.com/octokit/webhooks.js/releases/tag/v10.9.2
• https://github.com/octokit/webhooks.js/releases/tag/v11.1.2
• https://github.com/octokit/webhooks.js/releases/tag/v12.0.4
• https://github.com/octokit/webhooks.js/releases/tag/v9.26.3
• https://github.com/probot/probot/releases/tag/v12.3.3
• https://github.com/advisories/GHSA-pwfr-8pq7-x9qv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

octokit/octokit.js (octokit)

v3.1.2

Compare Source

Bug Fixes

• updates app.js for the handling of an error being thrown by the verify method in webhooks.js (#​2576) (b59da80)

v3.1.1

Compare Source

Bug Fixes

• deps: update octokit monorepo (major) (#​2541) (f366919)

v3.1.0

Compare Source

Features

• add plugin-paginate-graphql (#​2487) (74856f6)

v3.0.0

Compare Source

Features

• v3 (#​2456) (84e6569)

BREAKING CHANGES

• Drop support for NodeJS v14, v16
• Remove previews support for the REST API
• remove agent option from octokit.request()
• Replace support for Node.js http(s) Agents with documentation on using fetch dispatchers instead (via @octokit/request)
• Remove ability to pass custom request options, except for method, headers, body, signal (via @​octokit/request)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

This PR performs a major version upgrade of the octokit GitHub API client and updates associated lockfile resolutions, while also isolating the gitops-profiles plugin dependencies from the monorepo workspace.

• Upgrades octokit from ^2.x to ^3.0.0 in plugins/github-issues/package.json and plugins/scaffolder-backend/package.json
• Updates all @octokit/* scoped packages in yarn.lock to versions compatible with Octokit v3
• Pins @backstage/plugin-gitops-profiles transitive Backstage dependencies to older fixed versions (0.1.x), decoupling them from current monorepo workspace references
• Adds legacy package resolutions in yarn.lock for older Backstage core packages and their transitive dependency trees
• Bumps shared/security-relevant packages: semver, cross-fetch, node-fetch, dompurify, core-js, universal-github-app-jwt, jsonwebtoken, react-syntax-highlighter

---

Confidence Score: 2/5 - Changes Needed

Not safe to merge — while this PR correctly identifies a security-motivated upgrade path for octokit to v3, it upgrades plugins/github-issues/package.json and plugins/scaffolder-backend/package.json to ^3.0.0 without including any corresponding source-level changes to adapt to Octokit v3's breaking API changes, which will almost certainly cause runtime failures in production. The octokit v3 release introduced significant API surface changes from v2, and shipping a major version bump with no callsite updates is a high-risk incomplete migration. The lockfile and gitops-profiles isolation work appears reasonable on its own, but cannot be safely merged alongside an untested breaking dependency upgrade.

Key Findings:

• The bump of octokit from ^2.0.4 to ^3.0.0 in plugins/github-issues/package.json is a major version change with known breaking API changes, yet no JavaScript/TypeScript source files in the github-issues plugin have been modified to account for renamed or removed APIs — this is a near-certain path to runtime errors.
• Similarly, plugins/scaffolder-backend/package.json receives the same ^3.0.0 bump with no visible source-level migration, meaning any octokit usage in the scaffolder backend plugin is also unvalidated against the new API contract.
• The lockfile updates to @octokit/* scoped packages and the @backstage/plugin-gitops-profiles dependency isolation are reasonable housekeeping changes, but they are bundled with an untested major-version API migration which makes the overall PR unsafe to merge as-is.

Files requiring special attention

• plugins/github-issues/package.json
• plugins/scaffolder-backend/package.json

[entelligence-ai-pr-reviews]

Walkthrough

This PR upgrades the octokit dependency from v2 to v3 across the github-issues and scaffolder-backend plugins. The lockfile is updated accordingly with cascading @octokit/* package upgrades. Additionally, @backstage/plugin-gitops-profiles dependencies are pinned to older fixed versions, several legacy Backstage package resolutions are added, and multiple shared packages receive security/maintenance version bumps.

Changes

File(s)	Summary
plugins/github-issues/package.json
plugins/scaffolder-backend/package.json	Bumps octokit dependency from ^2.x to ^3.0.0, a major version upgrade.
yarn.lock	Updates lockfile to reflect octokit v2→v3 upgrade with cascading changes to all @octokit/* packages (app, auth-app, core, oauth-app, webhooks, and related plugins); pins @backstage/plugin-gitops-profiles transitive dependencies (@backstage/config, @backstage/core-components, @backstage/core-plugin-api, @backstage/theme) to specific older 0.1.x versions; adds legacy package resolutions and their transitive dependencies (material-table, react-markdown, remark-gfm, d3/micromark/unified ecosystem, jspdf, canvg, html2canvas); bumps semver to 7.7.4, cross-fetch to 3.2.0, node-fetch to 2.7.0, dompurify to 2.5.9, core-js to 3.49.0, universal-github-app-jwt to 1.2.0, jsonwebtoken to 9.0.3, and react-syntax-highlighter to 15.6.6.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as Backstage App
    participant GHIssues as github-issues plugin
    participant ScaffBE as scaffolder-backend plugin
    participant OctokitV3 as octokit v3
    participant GHApp as @octokit/app v14
    participant Core as @octokit/core v5
    participant Paginate as plugin-paginate-rest v11
    participant REST as plugin-rest-endpoint-methods v13
    participant Retry as plugin-retry v6
    participant Throttle as plugin-throttling v8
    participant Webhooks as @octokit/webhooks v12
    participant GHApi as GitHub API

    Note over GHIssues, ScaffBE: Both plugins upgraded from octokit v2 to v3
    App->>GHIssues: initialize plugin
    GHIssues->>OctokitV3: import octokit v3
    activate OctokitV3
    OctokitV3->>GHApp: use @octokit/app v14
    OctokitV3->>Core: use @octokit/core v5
    OctokitV3->>Paginate: use plugin-paginate-rest v11 (CJS)
    OctokitV3->>REST: use plugin-rest-endpoint-methods v13 (CJS)
    OctokitV3->>Retry: use plugin-retry v6
    OctokitV3->>Throttle: use plugin-throttling v8
    OctokitV3->>Webhooks: use @octokit/webhooks v12
    deactivate OctokitV3

    GHIssues->>Core: authenticate request
    Core->>GHApi: REST/GraphQL call
    GHApi-->>Core: response
    Core-->>GHIssues: issues data

    App->>ScaffBE: scaffold action triggered
    ScaffBE->>OctokitV3: import octokit v3
    activate OctokitV3
    OctokitV3->>Core: use @octokit/core v5
    deactivate OctokitV3

    ScaffBE->>Core: create pull request via octokit-plugin-create-pull-request
    Core->>GHApi: POST /repos/pulls
    GHApi-->>Core: pull request created
    Core-->>ScaffBE: PR URL returned

    Note over GHApp, Webhooks: v3 adds @octokit/plugin-paginate-graphql v4
    Note over Paginate: CJS-specific build used for compatibility

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

[entelligence-ai-pr-reviews]

Correctness: Upgrading octokit from ^2.0.4 to ^3.0.0 is a major version bump that likely includes breaking API changes, but no source file changes are included in this PR to update the plugin's usage of the octokit API — this risks runtime failures if any removed or renamed APIs are called.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/github-issues/package.json, line 36, the `octokit` dependency is being bumped from `^2.0.4` to `^3.0.0`. This is a major version upgrade. Review the octokit v3 changelog for breaking changes and audit all usages of the octokit API in plugins/github-issues/src/ to ensure they are compatible with v3. Update any call sites that use removed or renamed APIs before merging this change.

[augmentcode]

🤖 Augment PR Summary

Summary: This PR upgrades the GitHub SDK dependency octokit to the v3 major line to address a reported security advisory affecting Octokit’s webhooks error handling.

Changes:

• Bumps octokit from ^2.x to ^3.0.0 in plugins/github-issues.
• Bumps octokit from ^2.x to ^3.0.0 in plugins/scaffolder-backend.
• Updates yarn.lock accordingly (dependency graph refresh).

Technical Notes: This is a major dependency upgrade (Octokit v3) driven by a security alert, and may require validating Node/runtime and TypeScript compatibility across the affected plugins.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

octokit@^3 explicitly drops Node.js v16 support and requires Node 18+ (native fetch), but this repo’s root engines and CI matrix still include Node 16, so yarn install/runtime scaffolder actions may break under Node 16.

Severity: high

Other Locations

• plugins/github-issues/package.json:36

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

Octokit v3 uses conditional exports and documents needing TS moduleResolution: node16 / module: node16, while this repo’s base tsconfig currently uses moduleResolution: node, so type resolution/build may fail after this bump.

Severity: medium

Other Locations

• plugins/scaffolder-backend/package.json:91

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

Octokit v3 release notes mention removing REST API preview support; plugins/scaffolder-backend currently sets previews: ['nebula-preview'] in getOctokitOptions, so it’s worth verifying this option is still accepted/has effect with v3.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}