fix(deps): update dependency @octokit/webhooks to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@octokit/webhooks	9.15.0 → 10.9.2

---

Unauthenticated Denial of Service in the octokit/webhooks library

CVE-2023-50728 / GHSA-pwfr-8pq7-x9qv

More information

Details

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @​octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @​pb82 (for the early analysis) and @​rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js

• v12 - v12.0.4
• v11 - v11.1.2
• v10 -v10.9.2
• v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js

• v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js

• v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot

• v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

• https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv
• https://nvd.nist.gov/vuln/detail/CVE-2023-50728
• https://github.com/octokit/app.js/releases/tag/v14.0.2
• https://github.com/octokit/octokit.js/releases/tag/v3.1.2
• https://github.com/octokit/webhooks.js/releases/tag/v10.9.2
• https://github.com/octokit/webhooks.js/releases/tag/v11.1.2
• https://github.com/octokit/webhooks.js/releases/tag/v12.0.4
• https://github.com/octokit/webhooks.js/releases/tag/v9.26.3
• https://github.com/probot/probot/releases/tag/v12.3.3
• https://github.com/advisories/GHSA-pwfr-8pq7-x9qv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

octokit/webhooks.js (@​octokit/webhooks)

v10.9.2

Compare Source

Bug Fixes

• Handle verify error (#​916) (2618438), closes #​915 #​914

v10.9.1

Compare Source

Bug Fixes

• empty commit to trigger a release on the [@latest](https://redirect.github.com/latest) npm tag (#​838) (c5e041d)

v10.9.0

Compare Source

Features

• typescript: new pull_request.milestoned and pull_request.demilestoned events (#​830) (b2f4d18)

v10.8.0

Compare Source

Features

• typescript: new pull_request.milestoned and pull_request.demilestoned events (#​830) (8a7ac10)

Reverts

• typescript: new pull_request.milestoned and pull_request.demilestoned events (#​830)" (#​833) (7e087ae)

v10.7.3

Compare Source

Bug Fixes

• build: include sourceContent in node/browser bundles (823dbfb)

v10.7.2

Compare Source

Bug Fixes

• build: serve types from dist-types/index.d.ts (9168bd6)

v10.7.1

Compare Source

Bug Fixes

• empty commit to trigger release (34ef02d)

v10.7.0

Compare Source

Features

• types: new installation_target event (#​807) (b5efc01)

v10.6.2

Compare Source

Bug Fixes

• handle missing Content-Type header with null check (#​805) (46597e7)

v10.6.1

Compare Source

Bug Fixes

• logging: change error to warn (#​801) (f25154a)

v10.6.0

Compare Source

Features

• middlware: allow string payloads (#​799) (4a9afd7), closes #​775

v10.5.1

Compare Source

Bug Fixes

• return helpful error when Content-Type header is not application/json (#​795) (b7aee15)

v10.5.0

Compare Source

Features

• deprecate onUnhandledRequest and accepting object payloads for for webhooks.verify() and webhooks.verifyAndReceive() (#​790) (c9d6a9d)

v10.4.0

Compare Source

Features

• types: new registry_package event, updated types for package event (#​783) (74882f6)

v10.3.1

Compare Source

Bug Fixes

• type updates via @octokit/webhooks-types v6.6.0 (#​761) (17e417d)

v10.3.0

Compare Source

Features

• new dependabot_alert and workflow_run.in_progress events, and various other type fixes (#​759) (50626e5)

v10.2.0

Compare Source

Features

• types: new pull_request.queued and pull_request.dequeued events (#​755) (3af01d5)

v10.1.5

Compare Source

Bug Fixes

• types: refactor BranchProtectionRule to have a common schema for the different rule types (#​727) (8b305d7)

v10.1.4

Compare Source

Bug Fixes

• types: correct enum values for required_conversation_resolution_level, add enum values for PullRequestReview#state (#​725) (8e2d936)

v10.1.3

Compare Source

Bug Fixes

• types: description updates for the push event (#​724) (c21f169)

v10.1.2

Compare Source

Bug Fixes

• types: new keys in changes property in branch_protection_rule#edited, and other fixes via @​octokit/webhooks v6.3.2 (#​723) (6449fa9)

v10.1.1

Compare Source

Bug Fixes

• type updates from @octokit/webhooks-types (#​722) (e2d1c4f)

v10.1.0

Compare Source

Features

• new merge_group event (#​721) (7dd3fa9)

v10.0.9

Compare Source

Bug Fixes

• types: remove 'email' format for 'email' property in committer.schema.json from @​octokit/webhooks-types v6.2.4 (#​715) (112dcdc)

v10.0.8

Compare Source

Bug Fixes

• types: description updates for the check_suite event (#​713) (7ee43e5)

v10.0.7

Compare Source

Bug Fixes

• deps: update dependency @​octokit/request-error to v3 (#​706) (459bf92)

v10.0.6

Compare Source

Bug Fixes

• deps: update dependency @​octokit/webhooks-methods to v3 (#​705) (ae86cda)

v10.0.5

Compare Source

Bug Fixes

• types: description updates from @​octokit/webhooks-types v6.2.2 (#​702) (87677a5)

v10.0.4

Compare Source

Bug Fixes

• types: updates from @​octokit/webhooks-types v6.2.1 (#​701) (f370dd9)

v10.0.3

Compare Source

Bug Fixes

• types: updates from @​octokit/webhooks-types v6.2.0 (#​700) (71c41cc)

v10.0.2

Compare Source

Bug Fixes

• types: updates from @octokit/webhooks-types v6.1.2 (#​699) (d91d5d5)

v10.0.1

Compare Source

Bug Fixes

• types: update the MarketplacePurchase#free_trial_ends_on property to also be a string (#​697) (d7c4dce)

v10.0.0

Compare Source

Features

• drop NodeJS v10, v12 support + test NodeJS v18 (#​555) (e887f05)

BREAKING CHANGES

• drop support for NodeJS <= 14 (Older than v14)

v9.26.3

Compare Source

Bug Fixes

• try to release with previously used semantic-release version (a674dd6)

v9.26.2

Compare Source

Bug Fixes

• trigger another release (cce5722), closes #issuecomment-1812983128

v9.26.1

Compare Source

Bug Fixes

• handles verify error (#​917) (0504ad8)

v9.26.0

Compare Source

Features

• types: webhooks updates via @octokit/webhooks v5.8.0 (#​680) (c9b66b1)

v9.25.0

Compare Source

Features

• types: new projects_v2_item event (#​679) (c8c6a38)

v9.24.0

Compare Source

Features

• types: webhooks types updates via @octokit/webhooks v5.6.0 (#​677) (637603b)

v9.23.0

Compare Source

Features

• types: new repository_vulnerability_alert.reopen event, remove workflow_job.started event, and many other type updates for events via @octokit/webhooks-types to v5.5.1 (#​674) (f147fa3)

v9.22.0

Compare Source

Features

• types: updates to deployment and deployment_status events, new deployment property for check_run event (#​662) (ebf8f49)

v9.21.0

Compare Source

Features

• types: new changes.base property on pull_request#edited, new merged_at property on issues common schema, new rerequestable property on check_suite#completed, new log_url property on deployment#created, remove content_reference event (#​660) (9fdd549)

v9.20.0

Compare Source

Features

• types: new pull_request_review_thread event (#​659) (768ce13)

v9.19.0

Compare Source

Features

• update @octokit/webhooks-types to v4.16 (#​658) (d185662)

v9.18.0

Compare Source

Features

• types: description updates for the workflow_run event (#​657) (bad7bf7)

v9.17.0

Compare Source

Features

• types: multiple updates from @octokit/webooks-types@4.12.0 (#​650) (aa9570e)

v9.16.0

Compare Source

Features

• types: add missing event workflow_job.in_progress, description updates for push event payload properties (#​647) (07279dc)

v9.15.1

Compare Source

Bug Fixes

• types: add ability to remove onAny listeners again (#​645) (2b00d86)

---

Configuration

📅 Schedule: (in timezone America/Toronto)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

Your pnpm version is incompatible with "/tmp/renovate/repos/github/Seneca-CDOT/telescope".

Expected version: >=8
Got: 6.32.13

This is happening because the package's manifest has an engines.pnpm field specified.
To fix this issue, install the required pnpm version globally.

To install the latest version of pnpm, run "pnpm i -g pnpm".
To check your pnpm version, run "pnpm -v".

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
telescope	Error		Mar 30, 2026 5:56pm