npm audit fails on @octokit dependencies

[ferrarimarco]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub

Please tell us more about your question or problem

Hi. When running npm audit against the latest Renovate version (39.172.0), it fails reporting a couple of known vulnerabilities in dependencies (mainly in the @octokit namespace).

Would it be possible to update these dependencies? (see the log below for pointers).

Thanks.

Logs (if relevant)

Logs

# npm audit report

@octokit/plugin-paginate-rest  <=11.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/core
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/plugin-paginate-rest
  @octokit/rest  16.39.0 - 21.0.0-beta.4
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  Depends on vulnerable versions of @octokit/plugin-rest-endpoint-methods
  node_modules/@octokit/rest
    @renovatebot/osv-offline  *
    Depends on vulnerable versions of @octokit/rest
    node_modules/@renovatebot/osv-offline
      renovate  >=[32](https://github.com/super-linter/super-linter/actions/runs/13378331077/job/37362743221#step:5:33).196.1
      Depends on vulnerable versions of @renovatebot/osv-offline
      node_modules/renovate

@octokit/request  <=9.2.0
Severity: moderate
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj[38](https://github.com/super-linter/super-linter/actions/runs/13378331077/job/37362743221#step:5:39)
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/request
  @octokit/core  <=5.2.0
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/core
    @octokit/plugin-rest-endpoint-methods  10.4.1 || 13.2.2
    Depends on vulnerable versions of @octokit/core
    node_modules/@octokit/plugin-rest-endpoint-methods
  @octokit/graphql  <=2.1.3 || 3.0.0 - 7.1.0
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/graphql

8 moderate severity vulnerabilities

[rarkins]

The only production place used is this:

@renovatebot/osv-offline 1.5.12
└─┬ @octokit/rest 20.1.1
  └── @octokit/plugin-paginate-rest 11.3.1

Which is only used to fetch OSV files from GitHub. I don't see how this could potentially be exploitable, unless github.com or perhaps the OSV project were compromised and added a ReDoS attack. If either were compromised, we have bigger problems than a ReDoS

[ferrarimarco]

IDK :). looping @zkoppert in to evaluate this.

[secustor]

There are also big projects in the CNCF which rely on this e.g. Backstage.

[rarkins]

Alternatively we could replace this code with generic http get's: https://github.com/renovatebot/osv-offline/blob/8490dcaa7fd950a1cb7529b23d54d037567a6444/packages/osv-offline/src/lib/download.ts#L43-L57

[viceice]

I'll refactor that code tomorrow to use plain got requests and drop this dependency.

[ferrarimarco]

thanks a lot!

[harryzcy]

Looks like it's fixed by 39.175.5 after #34307

[ferrarimarco]

Thanks for the heads up