[Snyk] Upgrade @octokit/rest from 16.38.1 to 19.0.3

[Manny27nyc]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @octokit/rest from 16.38.1 to 19.0.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 104 versions ahead of your current version.
• The recommended version was released 25 days ago, on 2022-07-08.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASHSET-1320032	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: @octokit/rest

• 19.0.3 - 2022-07-08
  

  19.0.3 (2022-07-08)

  Bug Fixes

  • deps: update dependency @ octokit/plugin-paginate-rest to v3 (#161) (670f477)
• 19.0.2 - 2022-07-08
  

  19.0.2 (2022-07-08)

  Bug Fixes

  • deps: update dependency @ octokit/plugin-rest-endpoint-methods to v6 (#162) (310c738)
• 19.0.1 - 2022-07-07
  

  19.0.1 (2022-07-07)

  Bug Fixes

  • deps: update dependency @ octokit/core to v4 (#160) (0b8f202)
• 19.0.0 - 2022-07-07
  

  19.0.0 (2022-07-07)

  Continuous Integration

  • stop testing against NodeJS v10, v12 (#157) (526eb2b)

  BREAKING CHANGES

  • Drop support for NodeJS v10, v12
• 18.12.0 - 2021-10-07
  

  18.12.0 (2021-10-07)

  Features

  • .actions.downloadWorkflowRunAttemptLogs(), .actions.getWorkflowRunAttempt(), .repos.generateReleaseNotes(), .checks.rerequestRun(). Graduate nebula, zzzax, switcheroo, baptiste previews. Removes defunkt /repos/{owner}/{repo}/actions/runs/{run_id}/retry endpoint. Renames methods to have consistent AuthenticatedUser() suffix, deprecates previous method names (#125) (4daa9f3)
• 18.11.4 - 2021-09-30
  

  18.11.4 (2021-09-30)

  Bug Fixes

  • removes defunkt endpoints: GET /repos/{owner}/{repo}/community/code_of_conduct, DELETE /reactions/{reaction_id}. encrypted_value and key_id parameters are required for .rest.actions.{createOrUpdateEnvironmentSecret,setSelectedReposForOrgSecret}(). access_token parameter is required for .rest.apps.deleteAuthorization(). Previews graduated: ant-man, flash, scarlet-witch, squirrel-girl (#122) (9c02e7d)
• 18.11.3 - 2021-09-30
  

  18.11.3 (2021-09-30)

  Bug Fixes

  • deps: bump minimal version of @ octokit/plugin-paginate-rest to v2.16.4 to prevent typescript compile errors (#120) (fca1907)
• 18.11.2 - 2021-09-27
  

  18.11.2 (2021-09-27)

  Bug Fixes

  • luke-cage preview graduated (#119) (38a823f)
• 18.11.1 - 2021-09-24
  

  18.11.1 (2021-09-24)

  Bug Fixes

  • typescript: graduate previews dorian, inertia, london, lydian, wyandotte (#116) (f1e2416)
• 18.11.0 - 2021-09-22
  

  18.11.0 (2021-09-22)

  Features

  • octokit.rest.repos.{enable,disable}LfsForRepo(), octokit.rest.repos.mergeUpstream({ owner, repo, branch }) (916a8bb)
• 18.10.0 - 2021-08-31
• 18.9.1 - 2021-08-16
• 18.9.0 - 2021-08-03
• 18.8.0 - 2021-08-02
• 18.7.2 - 2021-07-30
• 18.7.1 - 2021-07-23
• 18.7.0 - 2021-07-21
• 18.6.8 - 2021-07-20
• 18.6.7 - 2021-07-04
• 18.6.6 - 2021-06-30
• 18.6.5 - 2021-06-30
• 18.6.4 - 2021-06-29
• 18.6.3 - 2021-06-26
• 18.6.2 - 2021-06-24
• 18.6.1 - 2021-06-23
• 18.6.0 - 2021-06-12
• 18.5.6 - 2021-06-01
• 18.5.6-beta.1 - 2021-06-01
• 18.5.5 - 2021-05-28
• 18.5.4 - 2021-05-27
• 18.5.3 - 2021-04-21
• 18.5.2 - 2021-03-27
• 18.5.1 - 2021-03-26
• 18.5.0 - 2021-03-26
• 18.4.0 - 2021-03-24
• 18.3.5 - 2021-03-08
• 18.3.4 - 2021-03-05
• 18.3.3 - 2021-03-05
• 18.3.2 - 2021-03-03
• 18.3.1 - 2021-03-01
• 18.3.0 - 2021-02-26
• 18.2.1 - 2021-02-24
• 18.2.0 - 2021-02-18
• 18.1.1 - 2021-02-13
• 18.1.0 - 2021-02-03
• 18.0.15 - 2021-01-25
• 18.0.14 - 2021-01-22
• 18.0.13 - 2021-01-22
• 18.0.12 - 2020-12-04
• 18.0.11 - 2020-12-03
• 18.0.10 - 2020-12-02
• 18.0.9 - 2020-11-02
• 18.0.8 - 2020-11-01
• 18.0.7 - 2020-10-30
• 18.0.6 - 2020-09-14
• 18.0.5 - 2020-09-04
• 18.0.4 - 2020-08-26
• 18.0.3 - 2020-07-24
• 18.0.2 - 2020-07-23
• 18.0.1 - 2020-07-16
• 18.0.0 - 2020-06-11
• 17.11.2 - 2020-06-11
• 17.11.1 - 2020-06-11
• 17.11.0 - 2020-06-07
• 17.10.0 - 2020-06-04
• 17.9.3 - 2020-06-03
• 17.9.2 - 2020-05-18
• 17.9.1 - 2020-05-17
• 17.9.0 - 2020-05-11
• 17.8.0 - 2020-05-06
• 17.7.0 - 2020-05-05
• 17.6.0 - 2020-04-24
• 17.5.2 - 2020-04-22
• 17.5.1 - 2020-04-20
• 17.5.0 - 2020-04-20
• 17.4.0 - 2020-04-19
• 17.3.0 - 2020-04-15
• 17.2.1 - 2020-04-12
• 17.2.0 - 2020-04-08
• 17.1.4 - 2020-03-26
• 17.1.3 - 2020-03-25
• 17.1.2 - 2020-03-24
• 17.1.1 - 2020-03-20
• 17.1.0 - 2020-03-11
• 17.0.1 - 2020-03-10
• 17.0.0 - 2020-02-19
• 17.0.0-beta.3 - 2020-02-07
• 17.0.0-beta.2 - 2020-02-04
• 17.0.0-beta.1 - 2020-02-03
• 16.43.2 - 2020-06-24
• 16.43.1 - 2020-02-03
• 16.43.0 - 2020-02-03
• 16.42.2 - 2020-02-03
• 16.42.1 - 2020-02-03
• 16.42.0 - 2020-02-03
• 16.41.2 - 2020-02-02
• 16.41.1 - 2020-01-31
• 16.41.0 - 2020-01-31
• 16.40.2 - 2020-01-30
• 16.40.1 - 2020-01-29
• 16.40.0 - 2020-01-28
• 16.39.0 - 2020-01-27
• 16.38.3 - 2020-01-25
• 16.38.2 - 2020-01-24
• 16.38.1 - 2020-01-22

from @octokit/rest GitHub release notes

Commit messages

Package name: @octokit/rest

• 670f477 fix(deps): update dependency @ octokit/plugin-paginate-rest to v3 (Article should note limit of 100 labels applied to issues and pull requests github/docs#161)
• 310c738 fix(deps): update dependency @ octokit/plugin-rest-endpoint-methods to v6 (LDAP team sync limited to 1499 max members github/docs#162)
• 0b8f202 fix(deps): update dependency @ octokit/core to v4 (Unable to link specific repositories to projects github/docs#160)
• 5256bba chore(deps): update dependency @ octokit/request to v6 (Clarify which email addresses may be set as primary github/docs#159)
• 5217679 ci(action): pin dependencies (Re-organize Changing a commit message documentation github/docs#158)
• 526eb2b ci: stop testing against NodeJS v10, v12 (Document search limitations around exact match and partial match github/docs#157)
• 4d22af3 chore(deps): update dependency semantic-release to v19 (Adding previous and next links for moving between articles github/docs#146)
• 0de190b chore(deps): update dependency react-debounce-render to v8 (Typo: "Grady Groovy" should be "Gradle Groovy" github/docs#145)
• 32c0b3b chore(deps): update dependency @ types/node to v16 ([Snyk] Security upgrade express from 4.17.1 to 4.19.2 #142)
• 01f05f8 chore(deps): update jest monorepo to v28 (major)
• 7a941b7 chore(deps): update react monorepo to v18 (major)
• dc6e81d ci(codeql): ignore on push events for dependabot branches (repo sync github/docs#153)
• 2748711 ci(codeql): ignore on push events for dependabot branches (run windows tests on the public repo github/docs#154)
• d446734 build(npm): replace 'pika' command with 'pika-pack' (#152)
• ec4f2d2 ci(action): update github/codeql-action action to v2 (#151)
• 53d38ea ci(action): update actions/setup-node action to v3 (#150)
• 2a48a6e ci(action): update actions/checkout action to v3 (#149)
• f06a0fa chore(deps): update dependency marked to v4
• c606831 chore(deps): update dependency html-react-parser to v2 (Bump the npm_and_yarn group with 6 updates #143)
• 43ece36 chore(deps): update dependency prettier to v2.7.1 ([Snyk] Security upgrade webpack from 4.44.0 to 5.0.0 #141)
• ad7a110 build: updates lock file from old generation and applies lint fixes to the security policy ([Snyk] Fix for 1 vulnerabilities #140)
• 627de0e Create SECURITY.md
• a2f69ec build(deps): lock file maintenance
• 4daa9f3 feat: `.actions.downloadWorkflowRunAttemptLogs()`, `.actions.getWorkflowRunAttempt()`, `.repos.generateReleaseNotes()`, `.checks.rerequestRun()`. Graduate `nebula`, `zzzax`, `switcheroo`, `baptiste` previews. Removes defunkt `/repos/{owner}/{repo}/actions/runs/{run_id}/retry` endpoint. Renames methods to have consistent `AuthenticatedUser()` suffix, deprecates previous method names ([Snyk] Security upgrade express from 4.17.1 to 4.17.3 #125)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[sonatype-lift]

Severe Vulnerability:

pkg:npm/%40octokit/rest@19.0.3

0 Critical, 1 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components

pkg:npm/node-fetch@2.6.7

SEVERE Vulnerabilities (1)




[CVE-2022-2596] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

MODERATE Vulnerabilities (1)




[sonatype-2022-3677] CWE-200: Information Exposure

node-fetch - Exposure of Sensitive Information to an Unauthorized Actor

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

CVSS Score: 3.7

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-200

---

Reply with "@sonatype-lift help" for info about LiftBot commands.
Reply with "@sonatype-lift ignore" to tell LiftBot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell LiftBot to leave out all the findings from this PR and from the status bar in Github.

When talking to LiftBot, you need to refresh the page to see its response. Click here to get to know more about LiftBot commands.

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]