Skip to content

[Snyk] Security upgrade octokit from 2.1.0 to 5.0.2 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade octokit from 2.1.0 to 5.0.2 #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/notion-task-github-pr-sync/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@
"@notionhq/client": "file:../../",
"dotenv": "^16.0.1",
"lodash": "^4.17.21",
"octokit": "^2.0.3"
"octokit": "^5.0.2"
Copy link

@gemini-code-assist gemini-code-assist bot May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This upgrade to octokit v5.0.2 is a major version jump from v2.1.0. While this addresses security vulnerabilities, it introduces critical breaking changes that need to be handled:

  1. Missing Peer Dependency: octokit v3.0.0 and later (including the new v5.0.2) require @octokit/core as a peer dependency. Your package.json needs to be updated to include it. Without @octokit/core, the application (index.js) will likely fail at runtime when trying to use octokit.
    You'll need to add @octokit/core to your dependencies. For octokit@5.0.2, a compatible version for @octokit/core would typically be ^5.0.0 (as octokit@5.0.2 has a peer dependency requirement of @octokit/core: ">=5.0.0 <7.0.0").

    Example of how to add it in package.json:

    "dependencies": {
  // ... other dependencies
  "octokit": "^5.0.2",
  "@octokit/core": "^5.0.0", // Add this line
  // ...
}

    After adding this, run npm install or yarn install.

  2. Other Potential API Breaking Changes: Major version upgrades often include other API changes beyond peer dependencies. The Snyk metadata for this PR also explicitly states "isBreakingChange":true.

    • It's crucial to thoroughly review the octokit changelogs for versions 3.x, 4.x, and 5.x to identify any other changes that might affect how octokit is used in index.js.
    • Pay special attention to the instantiation (new Octokit(...)) and methods like octokit.paginate.iterator(octokit.rest.pulls.list, ...) used in index.js.
    • After addressing the peer dependency and reviewing changelogs, the application must be thoroughly tested to ensure all GitHub integration functionality remains correct.

This PR should not be merged until these issues, particularly the missing peer dependency, are resolved.

}
}