Merge pull request #1481 from danger/fb/cve-octokit-rest-mitigation

chore: Upgrade @octokit/rest for CVE patch - no-ESM mitigation patch - Fixes #1479

Author: fbartho

Diff for: .github/workflows/CI.yml

@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "20"
 
       # Get local dependencies & test
       - run: yarn install

Diff for: .vscode/settings.json

@@ -14,39 +14,55 @@
   "editor.formatOnSave": true,
   "debug.node.autoAttach": "on",
   "cSpell.words": [
-    "APIPR",
-    "BITBUCKETSERVER",
-    "Chainsmoker",
-    "Commenter",
     "accum",
+    "ahobson",
+    "alexandermendes",
     "apipr",
+    "APIPR",
     "ashfurrow",
     "autogenerated",
     "bdotdub",
     "bitbucket",
+    "BITBUCKETSERVER",
     "bitrise",
     "buildkite",
     "caffodian",
+    "Chainsmoker",
+    "CIAPI",
     "codefresh",
     "codemagic",
     "codeship",
+    "Commenter",
     "commit's",
     "dangerfile",
     "dangerfiles",
+    "davidhouweling",
     "deletable",
+    "denieler",
     "dfalling",
+    "doniyor",
     "dsljson",
     "dtslint",
     "eigen",
     "fbartho",
     "filepaths",
+    "Fixtured",
+    "fsevents",
     "gantman",
+    "GHSA",
     "gitdata",
     "globbed",
+    "gzaripov",
+    "hellocore",
+    "hmcc",
+    "hmschreiner",
     "hongrich",
+    "Honza",
     "hyperlinker",
+    "igorbek",
     "ints",
     "isobject",
+    "jamiebuilds",
     "jira",
     "jsondsl",
     "jsonpointer",
@@ -55,27 +71,53 @@
     "kwonoj",
     "lockfile",
     "macklinu",
+    "mapvalues",
+    "meloni",
+    "melvinvermeer",
+    "memfs",
     "micromatch",
     "mifi",
     "mlabrum",
+    "Moni",
     "nevercode",
     "octokit",
+    "offrey",
+    "openapi",
+    "orta",
+    "ozzieorca",
+    "pagelen",
     "patriksimek",
     "peterjgrainger",
+    "pgoudreau",
+    "pinkasey",
     "prdsl",
+    "prepush",
     "repo",
     "repo's",
+    "rogerluan",
+    "Rouby",
+    "rwvf",
+    "rzgry",
     "samdmarshall",
+    "shyim",
+    "sogame",
+    "Therox",
     "tldr",
     "tooling",
     "tooling's",
     "transpiler",
+    "transpiling",
     "tychota",
     "type'd",
+    "typedoc",
+    "typescriptify",
+    "unfernandito",
     "urkle",
+    "valscion",
     "vendored",
     "voca",
     "vsts",
+    "wardpeet",
     "webhook",
     "wizardishungry"
   ]

Diff for: CHANGELOG.md

@@ -16,6 +16,7 @@
 
 <!-- Your comment below this -->
 
+- Update `@octokit/rest` to prevent transitive CVEs - Fixes [#1479](https://github.com/danger/danger-js/issues/1479) [@fbartho]
 - Clean up dead discussion link - Fixes [#1467](https://github.com/danger/danger-js/issues/1467) [@fbartho]
 
 <!-- Your comment above this -->

Diff for: appveyor.yml

@@ -1,6 +1,6 @@
 # Test against this version of Node.js
 environment:
-  nodejs_version: "18"
+  nodejs_version: "20"
 
 # Install scripts. (runs after repo cloning)
 install:

Diff for: package.json

@@ -78,7 +78,7 @@
     "type": "git",
     "url": "git+https://github.com/danger/danger-js.git"
   },
-  "packageManager": "[email protected].19",
+  "packageManager": "[email protected].22",
   "keywords": [
     "danger",
     "ci"
@@ -135,7 +135,7 @@
     "nock": "^13.2.0",
     "pkg": "^5.8.1",
     "prettier": "^2.5.1",
-    "release-it": "^13.5.2",
+    "release-it": "^18.1.2",
     "shx": "^0.3.4",
     "ts-jest": "^28.0.0",
     "ts-node": "^10.9.2",
@@ -145,7 +145,7 @@
   },
   "dependencies": {
     "@gitbeaker/rest": "^38.0.0",
-    "@octokit/rest": "^18.12.0",
+    "@octokit/rest": "^20.1.2",
     "async-retry": "1.2.3",
     "chalk": "^2.3.0",
     "commander": "^2.18.0",
@@ -165,7 +165,7 @@
     "lodash.keys": "^4.0.8",
     "lodash.mapvalues": "^4.6.0",
     "lodash.memoize": "^4.1.2",
-    "memfs-or-file-map-to-github-branch": "^1.2.1",
+    "memfs-or-file-map-to-github-branch": "^1.3.0",
     "micromatch": "^4.0.4",
     "node-cleanup": "^2.1.2",
     "node-fetch": "^2.6.7",

Diff for: source/api/fetch.ts

@@ -45,7 +45,7 @@ export async function retryableFetch(
     {
       retries: retries,
       onRetry: (error, attempt) => {
-        warn(error.message)
+        warn((error as any)?.message)
         warn(`Retry ${attempt} of ${retries}.`)
       },
     }

Diff for: source/platforms/github/GitHubUtils.ts

@@ -171,7 +171,9 @@ export const createOrUpdatePR =
     }
 
     d("Creating a branch")
-    await filepathContentsMapToUpdateGitHubBranch(api, fileMap, branchSettings)
+    // temporary hack because typescript thinks we're using two different definitions of Octokit?
+    const tmpHackApi = api as any as Parameters<typeof filepathContentsMapToUpdateGitHubBranch>[0]
+    await filepathContentsMapToUpdateGitHubBranch(tmpHackApi, fileMap, branchSettings)
 
     d("Getting open PRs")
     const prs = await api.pulls.list({ repo, owner, state: "open" })

Diff for: source/runner/runners/utils/_tests/_transpiler.test.ts

@@ -95,9 +95,14 @@ describe("babelify", () => {
     const dangerfile = `import { a } from 'lodash';
 a();`
 
-    const existsSyncMock = fs.existsSync as jest.Mock
     const actualFs = jest.requireActual("fs") as typeof fs
+    const existsSyncMock = fs.existsSync as jest.Mock
+    const statSyncMock = fs.statSync as jest.Mock
     existsSyncMock.mockImplementation((path) => path === "/a/b/babel.config.js" || actualFs.existsSync(path))
+    statSyncMock.mockImplementation((path) =>
+      // browserslist gets called by babelify, and browserslist checks for all imported things to see if they're directories
+      path === "/a/b/babel.config.js" ? { isDirectory: () => false } : actualFs.statSync(path)
+    )
     jest.mock(
       "/a/b/babel.config.js",
       () => {