fix(deps): update dependency probot to v12.3.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
probot (source)	12.1.4 -> 12.3.3

GitHub Vulnerability Alerts

CVE-2023-50728

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

• v12 - v12.0.4
• v11 - v11.1.2
• v10 -v10.9.2
• v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

• v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

• v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

• v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

---

Release Notes

probot/probot (probot)

v12.3.3

Compare Source

Bug Fixes

• deps: @octokit/webhooks security update (#​1911) (02d81f8)

v12.3.2

Compare Source

Bug Fixes

• Fix async main function type (#​1672) (fc6886d)

v12.3.1

Compare Source

Bug Fixes

• typescript: simplify ProbotWebhooks object (#​1833) (7b09369)

v12.3.0

Compare Source

Features

• server: add logging options (#​1645) (6c5840d)

v12.2.9

Compare Source

Bug Fixes

• typescript: add missing import (#​1783) (229a01c)

v12.2.8

Compare Source

Bug Fixes

• Make probot receive support complex Probot apps (#​1714) (eff5553)

v12.2.7

Compare Source

Bug Fixes

• receive: --base-url option and GHE_HOST (#​1719) (68c9b91)

v12.2.6

Compare Source

Bug Fixes

• deps: upgrade octokit/types to v7.1.1 (#​1724) (be45120)

v12.2.5

Compare Source

Bug Fixes

• remove update-notifier (#​1706) (05297fb), closes /github.com/probot/probot/issues/1102#issuecomment-570598406

v12.2.4

Compare Source

Bug Fixes

• logging of first octokit instance is not set (#​1676) - thanks @​kammerjaeger @​markjm (646b6a9)

v12.2.3

Compare Source

Bug Fixes

• deps: bump eventsource from 1.1.0 to 2.0.2 (7fd06d6)

v12.2.2

Compare Source

Bug Fixes

• Replaced hbs with express-handlebars (#​1659) (420f886)

v12.2.1

Compare Source

Bug Fixes

• security: bump minimal version of hbs (#​1638) (dd9f5ae)

v12.2.0

Compare Source

Features

• customize account name for manifest creation flow using GH_ORG environment variable (#​1606) (992b480)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7781b61

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR