fix: mitigate ReDos vulnerabilities & lint (#738)

Releases 34ff07e * Linting issues * update `@octokit/endpoint` and `@octokit/request-error`
octokit · Feb 13, 2025 · 6bb29ba · 6bb29ba
1 parent 34ff07e
commit 6bb29ba
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 26 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -25,8 +25,8 @@
   "author": "Gregor Martynus (https://github.com/gr2m)",
   "license": "MIT",
   "dependencies": {
-    "@octokit/endpoint": "^10.0.0",
-    "@octokit/request-error": "^6.0.1",
+    "@octokit/endpoint": "^10.1.3",
+    "@octokit/request-error": "^6.1.6",
     "@octokit/types": "^13.6.2",
     "fast-content-type-parse": "^2.0.0",
     "universal-user-agent": "^7.0.2"

diff --git a/test/request.test.ts b/test/request.test.ts
@@ -23,26 +23,29 @@ function stringToArrayBuffer(str: string) {
 
 describe("request()", () => {
   it("Test ReDoS - attack string", () => {
-    const originalFetch = globalThis.fetch;
-    globalThis.fetch = async (url, options) => {
-      const response = await originalFetch(url, options);
+    const fakeFetch = async (url, options) => {
+      const response = await fetch(url, options);
       const fakeHeaders = new Headers(response.headers);
       fakeHeaders.set("link", "<".repeat(100000) + ">");
       fakeHeaders.set("deprecation", "true");
       return new Response(response.body, {
         status: response.status,
         statusText: response.statusText,
-        headers: fakeHeaders
+        headers: fakeHeaders,
       });
     };
     const startTime = performance.now();
-    request("GET /repos/octocat/hello-world");
+    request("GET /repos/octocat/hello-world", {
+      request: { fetch: fakeFetch },
+    });
     const endTime = performance.now();
     const elapsedTime = endTime - startTime;
-    const reDosThreshold = 2000; 
+    const reDosThreshold = 2000;
     expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
     if (elapsedTime > reDosThreshold) {
-      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+      console.warn(
+        `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`,
+      );
     }
   });