fix(deps): update dependency @octokit/request to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@octokit/request	6.2.5 -> 9.2.1

GitHub Vulnerability Alerts

CVE-2025-25290

Summary

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

Details

The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.
An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.
The issue is present in the following code:

const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

PoC

The gist of PoC.js

1. run npm i @​octokit/request
2. run 'node poc.js'
   result:
3. then the program will stuck forever with high CPU usage

import { request } from "@​octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;

Impact

This is a Denial of Service (DoS) vulnerability caused by a ReDoS (Regular Expression Denial of Service) flaw. The vulnerability allows an attacker to craft a malicious link header that exploits the inefficient backtracking behavior of the regular expression used in the code.
The primary impact is the potential for server resource exhaustion, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.
The vulnerability impacts any system that uses this specific regular expression to process link headers in HTTP responses. This can include:

• Web applications or APIs that rely on parsing headers for deprecation information.
• Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
• Service providers who may face disruption in operations or performance degradation due to this flaw.
  If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

---

Release Notes

octokit/request.js (@​octokit/request)

v9.2.1

Compare Source

Bug Fixes

• mitigate ReDos vulnerabilities & lint (#​738) (6bb29ba)

v9.2.0

Compare Source

Features

• correctly parse response bodies as JSON where the Content-Type is application/scim+json (#​731) (00bf316)

v9.1.4

Compare Source

Bug Fixes

• deps: bump @octokit/types to fix deno compat (#​730) (324ffef)

v9.1.3

Compare Source

Bug Fixes

• improve toErrorMessage (#​714) (fcc5b25)

v9.1.2

Compare Source

Bug Fixes

• refactor: async await instead of Promise chain (#​711) (611b275)

v9.1.1

Compare Source

Bug Fixes

• pkg: add default fallback to exports (#​688) (9866c41)

v9.1.0

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v13 (#​684) (4d466a6)

Features

• re-add redirect request option (#​636) (23200c0), closes #​599
• security: Add provenance (#​685) (465bc7c)

v9.0.1

Compare Source

Bug Fixes

• pkg: add main export (#​681) (1d834ae)

v9.0.0

Compare Source

Features

• switch to ESM output (#​678) (517fd98)

BREAKING CHANGES

• Output a single ESM bundle

v8.4.0

Compare Source

Features

• re-add redirect request option (#​636) (abc4955), closes #​599

v8.3.1

Compare Source

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

Compare Source

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#​685) (2e67925)

v8.2.0

Compare Source

Features

• add documentation link in error message (#​667) (dbfeab2)

v8.1.6

Compare Source

Bug Fixes

• integrate isPlainObject (#​651) (2554219)

v8.1.5

Compare Source

Bug Fixes

• avoid Unexpected end of JSON input when response body is empty (#​648) (819cc3f), closes #​649

v8.1.4

Compare Source

Bug Fixes

• error.cause from undici may be instance of Error (#​643) (c67f902)

v8.1.3

Compare Source

Bug Fixes

• surface 'cause' for undici network errors (#​642) (7c9abfb)

v8.1.2

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v12 (#​637) (8fa4d61)

v8.1.1

Compare Source

Bug Fixes

• fetch-wrapper: improve error message when 'fetch' implementation is not present (#​617) (a83722c)

v8.1.0

Compare Source

Features

• add parseSuccessResponseBody Option (#​602) (110f3c4)

v8.0.4

Compare Source

Bug Fixes

• types: remove redirect option (#​612) (724699d)

v8.0.3

Compare Source

Bug Fixes

• correct the passing of the signal option (#​610) (5624353)

v8.0.2

Compare Source

Bug Fixes

• remove data argument (#​604) (8dbbb89)

v8.0.1

Compare Source

Bug Fixes

• deps: update octokit monorepo (major) (#​605) (95d4547)

v8.0.0

Compare Source

Features

• v8 (#​599) (ebf0865)

BREAKING CHANGES

• Replace support for Node.js http(s) Agents with documentation on using fetch dispatchers instead
• Remove ability to pass custom request options, except from method, headers, body, signal, data

v7.0.1

Compare Source

Bug Fixes

• deps: upgrade @octokit/endpoint (#​597) (ed784b0)

v7.0.0

Compare Source

Features

• v7 (#​586) (517ebab), closes #​581 #​580 #​587

BREAKING CHANGES

• Drop support for NodeJS v14, v16

• remove node-fetch in favor of global

• docs: update ToC for README.md

v6.2.8

Compare Source

Reverts

• Revert "fix(deps): update dependency @​octokit/request-error to v4 (#​593)" (9c9c6d7), closes #​593

v6.2.7

Compare Source

Bug Fixes

• deps: update dependency @​octokit/request-error to v4 (#​593) (62f51d6)

v6.2.6

Compare Source

Bug Fixes

• deps: update dependency @octokit/tsconfig to v2, explicitly mark type imports (#​588) (71d7488)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
telescope	❌ Failed (Inspect)			Feb 14, 2025 10:16pm

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 WARN  The "store" setting has been renamed to "store-dir". Please use the new name.
 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

Your pnpm version is incompatible with "/tmp/renovate/repos/github/Seneca-CDOT/telescope".

Expected version: >=8
Got: 6.32.13

This is happening because the package's manifest has an engines.pnpm field specified.
To fix this issue, install the required pnpm version globally.

To install the latest version of pnpm, run "pnpm i -g pnpm".
To check your pnpm version, run "pnpm -v".