Conversation
- upgraded @actions/github to ^6.0.1 to remove vulnerabilities\ - @actions/github v6 uses octokit.rest.repos.* / octokit.rest.git.* instead of octokit.repos.* / octokit.git.*, so further changes were made\ - @actions/github@^6.0.1 pulls in undici — a dependency that uses AbortSignal at module load time. Jest 27's node environment doesn't expose all Node.js globals properly in its VM context, thus jest ecosystem was upgraded.
…-review allow list
There was a problem hiding this comment.
Pull request overview
This PR addresses security vulnerabilities by upgrading @actions/github from v4 to v6, along with necessary Jest ecosystem updates to maintain compatibility. The upgrade requires migrating from the old Octokit API pattern (octokit.repos.*) to the new pattern (octokit.rest.repos.*). Additionally, Jest was upgraded from v27 to v29 to properly support undici, a transitive dependency of @actions/github v6 that requires proper Node.js globals in the test environment.
Changes:
- Upgraded @actions/github from ^4.0.0 to ^6.0.1 and migrated all Octokit API calls to use the new
.rest.prefix pattern - Upgraded Jest ecosystem from v27 to v29 (jest, @types/jest, ts-jest) and removed explicit jest-circus dependency since it's now included by default
- Added vulnerability exception for GHSA-g9mf-h72j-4rw9 (undici) with documented justification in both osv-scanner.toml and dependency-review workflow
Reviewed changes
Copilot reviewed 5 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Updated @actions/github to v6.0.1, upgraded Jest ecosystem to v29, updated TypeScript constraint to ~4.9 |
| src/github.ts | Migrated all Octokit API calls to use octokit.rest.repos.* and octokit.rest.git.* patterns |
| tests/github.test.ts | Updated mock structure to reflect new Octokit API with rest namespace |
| jest.config.js | Removed explicit jest-circus/runner configuration (now default in Jest 29) |
| tsconfig.json | Added skipLibCheck: true to avoid type conflicts from upgraded dependencies |
| osv-scanner.toml | Added vulnerability exception for undici (GHSA-g9mf-h72j-4rw9) |
| .github/workflows/dependency-review.yml | Added allow-ghsas configuration for the undici vulnerability |
| dist/licenses.txt | Auto-generated license updates reflecting new dependency tree |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,3 @@ | |||
| [[IgnoredVulns]] | |||
| id = "GHSA-g9mf-h72j-4rw9" | |||
| reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very less likely in this context." | |||
There was a problem hiding this comment.
Grammatical error: "very less likely" should be "much less likely" or "very unlikely".
| reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very less likely in this context." | |
| reason = "undici is a transitive dependency of @actions/github v6; and interacts with trusted servers. Resource exhaustion attack is very unlikely in this context." |
| "ts-jest": "^27.0.7", | ||
| "typescript": "^4.4.4" | ||
| "ts-jest": "^29.4.6", | ||
| "typescript": "~4.9" |
There was a problem hiding this comment.
The TypeScript version constraint changed from caret (^4.4.4) to tilde (~4.9). The tilde constraint is more restrictive and only allows patch-level updates (4.9.x), while the previous caret constraint allowed minor version updates (4.x.x). This means you won't automatically receive TypeScript 4.10+ patches. Consider using ^4.9 instead if you want to receive future patch and minor updates within the v4 major version, or document why the tilde constraint is preferred.
| "typescript": "~4.9" | |
| "typescript": "^4.9" |
2 participants
Uh oh!
There was an error while loading. Please reload this page.