Skip to content

Update dependency octokit to v3 [SECURITY] #12482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency octokit to v3 [SECURITY] #12482

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion plugins/github-issues/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
"@material-ui/icons": "^4.9.1",
"@material-ui/lab": "4.0.0-alpha.61",
"luxon": "^3.0.0",
"octokit": "^2.0.4",
"octokit": "^3.0.0",
Copy link
Copy Markdown

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews Bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: Upgrading octokit from ^2.0.4 to ^3.0.0 is a major version bump that likely includes breaking API changes, but no source file changes are included in this PR to update the plugin's usage of the octokit API — this risks runtime failures if any removed or renamed APIs are called.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/github-issues/package.json, line 36, the `octokit` dependency is being bumped from `^2.0.4` to `^3.0.0`. This is a major version upgrade. Review the octokit v3 changelog for breaking changes and audit all usages of the octokit API in plugins/github-issues/src/ to ensure they are compatible with v3. Update any call sites that use removed or renamed APIs before merging this change.

Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Octokit v3 uses conditional exports and documents needing TS moduleResolution: node16 / module: node16, while this repo’s base tsconfig currently uses moduleResolution: node, so type resolution/build may fail after this bump.

Severity: medium

Other Locations
  • plugins/scaffolder-backend/package.json:91

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

"react-use": "^17.4.0"
},
"peerDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion plugins/scaffolder-backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
"morgan": "^1.10.0",
"node-fetch": "^2.6.7",
"nunjucks": "^3.2.3",
"octokit": "^2.0.0",
"octokit": "^3.0.0",
Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

octokit@^3 explicitly drops Node.js v16 support and requires Node 18+ (native fetch), but this repo’s root engines and CI matrix still include Node 16, so yarn install/runtime scaffolder actions may break under Node 16.

Severity: high

Other Locations
  • plugins/github-issues/package.json:36

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Octokit v3 release notes mention removing REST API preview support; plugins/scaffolder-backend currently sets previews: ['nebula-preview'] in getOctokitOptions, so it’s worth verifying this option is still accepted/has effect with v3.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

"octokit-plugin-create-pull-request": "^3.10.0",
"p-limit": "^3.1.0",
"p-queue": "^6.6.2",
Expand Down
Loading
Loading