📦 Update invite packages (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@google-cloud/functions-framework	3.4.2 -> 4.0.0
@octokit/rest	20.1.1 -> 22.0.0
@types/jest (source)	29.5.14 -> 30.0.0
@types/node (source)	20.17.9 -> 22.18.0
dotenv	16.4.7 -> 17.2.1
jest (source)	29.7.0 -> 30.1.1
probot (source)	12.4.0 -> 14.0.2

See all other Renovate PRs on the Dependency Dashboard

---

Release Notes

GoogleCloudPlatform/functions-framework-nodejs (@​google-cloud/functions-framework)

v4.0.0

Compare Source

⚠ BREAKING CHANGES

• upgrade all dependencies
• delete the undocumented "typed" function signature
• drop support for old nodejs versions

Bug Fixes

• delete the undocumented "typed" function signature (c0714e7)

Miscellaneous Chores

• drop support for old nodejs versions (c0714e7)
• upgrade all dependencies (c0714e7)

v3.5.1

Compare Source

Bug Fixes

• correct handling of IGNORED_ROUTES set to empty (4799207)

v3.5.0

Compare Source

Features

• adds a new ignored-routes config option (70f68e9)

Bug Fixes

• deps: downgrade @​types/express to v4 (d40a514)

v3.4.6

Compare Source

Bug Fixes

• remove logger.errorHandler. (#​676) (a5394d5)

v3.4.5

Compare Source

Bug Fixes

• fix trace context pattern, remove trace id and respect logging span id field. (#​667) (0fb00a5)

v3.4.4

Compare Source

Bug Fixes

• do not call render in the errorHandler (#​665) (9206893)

v3.4.3

Compare Source

Bug Fixes

• Fix typings for functions.cloudEvent to include callback. (#​631) (47cd4c6)

octokit/rest.js (@​octokit/rest)

v22.0.0

Compare Source

Bug Fixes

• deps: update octokit monorepo (major) (#​504) (77530ab)

BREAKING CHANGES

• deps: Drop support for NodeJS v18
• deps: Remove deprecated Projects endpoints
• deps: Remove deprecated Copilot usage metrics endpoints

v21.1.1

Compare Source

Bug Fixes

• deps: update Octokit dependencies to mitigate ReDos [security] (#​484) (ca256c3)

v21.1.0

Compare Source

Features

• new endpoints, bump Octokit deps to fix Deno (#​477) (908b1c8)

v21.0.2

Compare Source

Bug Fixes

• docs: update to react 18 and latest gatsby deps (#​462) (9a80f06), closes #​216 #​230 #​460

v21.0.1

Compare Source

Bug Fixes

• update deps (#​456) (93d5afb)

v21.0.0

Compare Source

Features

• v21 (#​413) (12b6c65)

BREAKING CHANGES

• package is now ESM

v20.1.2

Compare Source

Bug Fixes

• deps: bump Octokit dependencies to address ReDos vulnerabilities, bump devDependencies (#​487) (711f2ee), closes #​486

motdotla/dotenv (dotenv)

v17.2.1

Compare Source

Changed

• Fix clickable tip links by removing parentheses (#​897)

v17.2.0

Compare Source

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#​889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

v17.1.0

Compare Source

Added

• Add additional security and configuration tips to the runtime log (#​884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

v17.0.1

Compare Source

Changed

• Patched injected log to count only populated/set keys to process.env (#​879)

v17.0.0

Compare Source

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#​875)

v16.6.1

Compare Source

Changed

• Default quiet to true – hiding the runtime log message (#​874)
• NOTICE: 17.0.0 will be released with quiet defaulting to false. Use config({ quiet: true }) to suppress.
• And check out the new dotenvx. As coding workflows evolve and agents increasingly handle secrets, encrypted .env files offer a much safer way to deploy both agents and code together with secure secrets. Simply switch require('dotenv').config() for require('@​dotenvx/dotenvx').config().

v16.6.0

Compare Source

Added

• Default log helpful message [[email protected]] injecting env (1) from .env (#​870)
• Use { quiet: true } to suppress
• Aligns dotenv more closely with dotenvx.

v16.5.0

Compare Source

Added

• 🎉 Added new sponsor Graphite - the AI developer productivity platform helping teams on GitHub ship higher quality software, faster.

[!TIP]
Become a sponsor

The dotenvx README is viewed thousands of times DAILY on GitHub and NPM.
Sponsoring dotenv is a great way to get in front of developers and give back to the developer community at the same time.

Changed

• Remove _log method. Use _debug #​862

jestjs/jest (jest)

v30.1.1

Compare Source

Fixes

• [jest-snapshot-utils] Fix deprecated goo.gl snapshot warning not handling Windows end-of-line sequences (#​15800)

v30.1.0

Compare Source

v30.0.5

Compare Source

v30.0.4

Compare Source

Features

• [expect] The Inverse type is now exported (#​15714)
• [expect] feat: support async functions in toBe (#​15704)

Fixes

• [jest] jest --onlyFailures --listTests now correctly lists only failed tests (#​15700)
• [jest-snapshot] Handle line endings in snapshots (#​15708)

v30.0.3

Compare Source

Fixes

• [jest-config] Fix ESM TS config loading in a CJS project (#​15694)

Features

• [jest-diff] Show non-printable control characters to diffs (#​15696)

v30.0.2

Compare Source

v30.0.1

Compare Source

v30.0.0

Compare Source

probot/probot (probot)

v14.0.2

Compare Source

Bug Fixes

• deps: update @​probot/octokit-plugin-config (6f2d021)

v14.0.1

Compare Source

Bug Fixes

• add explicit undefined to optional types, and update webhooks types (#​1979) (05179ff)

v14.0.0

Compare Source

• feat!: v14 (#​2152) (97c4057)

BREAKING CHANGES

• Probot is now an ESM only library
• drop Node > 20.17 and Node 21 support
• Switch to GitHub's OpenAPI specification for Webhooks (from @octokit/webhooks v13)
• Remove legacy REST enpoint method access. Users will now have to use the octokit.rest.* methods
• Remove express server from within Probot.
• All properties marked as private in Typescript, including Probot#state, are now private class fields.
• createNodeMiddleware() is now an async function
• @sentry/node needs to be installed separately if needed
• ioredis needs to be installed separately if needed
• The built-in server now listens on localhost by default instead of 0.0.0.0.

Probot v14 Migration Guide

ESM Only Package

Probot is now exclusively an ESM package. Either migrate to ESM (recommended), or use `require(esm).

Migrating to ESM:

1. Update package.json:

{
  "type": "module"
}

2. Replace all CommonJS require() statements with ESM import syntax
3. Update your TypeScript configuration:

{
  "compilerOptions": {
    "module": "node16",
    "moduleResolution": "node16"
  }
}

For require(esm):

• For TypeScript 5.7-5.8: Use "module": "nodenext" and "moduleResolution": "nodenext"
• For TypeScript 5.9+: Use "module": "node20" and "moduleResolution": "node20"

Node.js Version Requirements

• Minimum supported version: Node.js 20.18+ and 22+
• Node.js 21 support has been dropped

Webhook Type Definitions

Replace webhook type imports:

// Before
import { WebhookEvent } from "@​octokit/webhooks-types";

// After
import { WebhookEvent } from "@​octokit/openapi-webhooks-types-migration";

REST API Access Pattern

Legacy endpoint methods have been removed:

app.on("issues.opened", async (context) => {
  // Before
  // const issue = await context.octokit.issues.get(context.issue());

  // After
  const issue = await context.octokit.rest.issues.get(context.issue());
});

Express Server Removal

The built-in Express server has been removed. To use Express:

1. Install Express:

npm install express

2. Update your Probot setup:

import Express from "express";
import { createNodeMiddleware, createProbot } from "probot";

const express = Express();

const app = (probot) => {
  probot.on("push", async () => {
    probot.log.info("Push event received");
  });
};

const middleware = await createNodeMiddleware(app, {
  webhooksPath: "/api/github/webhooks",
  probot: createProbot({
    env: {
      APP_ID,
      PRIVATE_KEY,
      WEBHOOK_SECRET,
    },
  }),
});

express.use(middleware);
express.use(Express.json());
express.get("/custom-route", (req, res) => {
  res.json({ status: "ok" });
});

express.listen(3000, () => {
  console.log(`Server is running at http://localhost:3000`);
});

HTTP Server no longer listens on 0.0.0.0 by default

The built-in HTTP server will now listen on localhost by default, instead of listening on all available interfaces.
If you wish to change this behaviour, you can use the HOST environment variable, or the --host variable for the probot run command.

env HOST=0.0.0.0 <start script>
probot run --host=0.0.0.0 app.js

Asynchronous Middleware Initialization

createNodeMiddleware() is now asynchronous:

import { createNodeMiddleware } from "probot";
import app from "../app.js";

// Before
// const middleware = createNodeMiddleware(app);

// After
const middleware = await createNodeMiddleware(app);

v13.4.7

Compare Source

Bug Fixes

• update @octokit/webhooks, remove internal rebindLog() function (#​2220) (c4c67c3), closes #​2062

v13.4.6

Compare Source

Bug Fixes

• update @​octokit/auth-app and @​octokit/core to fix logger binding issues (058878b)

v13.4.5

Compare Source

Bug Fixes

• deps: update dependency express to v5 (#​2090) (f6d4c3e)

v13.4.4

Compare Source

Bug Fixes

• deps: update Octokit dependencies that have ReDos vulnerability (816f2f7)

v13.4.3

Compare Source

Bug Fixes

• deps: update dependency @​probot/pino to v3 (#​2140) (7c3a99d)

v13.4.2

Compare Source

Bug Fixes

• memoryleak of octokit hook (#​2129) (2b48a8e)

v13.4.1

Compare Source

Bug Fixes

• ensure that the logger is always bound (#​2119) (cc85a24), closes #​2116

v13.4.0

Compare Source

Features

• allow custom logger for Octokit instances (#​2100) (19954c8)

v13.3.10

Compare Source

Bug Fixes

• deps: use fork of lru-cache to fix type issues (#​2104) (c87926b)

v13.3.9

Compare Source

Bug Fixes

• deps: bump @probot/pino to v2.5.0 (f26cf46), closes #​2102

v13.3.8

Compare Source

Bug Fixes

• deps: bump express to v4.21.0 (#​2085) (4c5310a)

v13.3.7

Compare Source

Bug Fixes

• types: avoid TS2590 errors in Context (#​2073) (23f6eab), closes #​1968

v13.3.6

Compare Source

Bug Fixes

• deps): Revert "fix(deps: update dependency lru-cache to v11" (#​2056) (60ff5b6), closes #​2049

v13.3.5

Compare Source

Bug Fixes

• remove eventsource dependency (#​2052) (caee841)

v13.3.4

Compare Source

Bug Fixes

• ci: Use organization-wide PROBOTBOT_NPM_TOKEN (#​2054) (cc86a53)

v13.3.0

Compare Source

Features

• set x-github-delivery header to event.id for all requests sent from context.octokit in event handlers (#​2027) (12944d5)

v13.2.2

Compare Source

Bug Fixes

• deps: update dependencies pino to v9, pino-http to v10 (#​2007) (ef7b9df)

v13.2.1

Compare Source

Bug Fixes

• probot: passes logger to webhooks (#​2011) (93007b6)

v13.2.0

Compare Source

Features

• security: Configure provenance (#​1997) (3f20320)

v13.1.2

Compare Source

Bug Fixes

• deps: update dependency express to v4.19.2 [security] (b1d3ac3)

v13.1.1

Compare Source

Bug Fixes

• deps: move bottleneck to dependencies (#​1992) (52de532)

v13.1.0

Compare Source

Features

• run: allow passing Octokit and log (#​1984) (d195264)

v13.0.2

Compare Source

Bug Fixes

• deps: update dependency commander to v12 (737835f)

v13.0.1

Compare Source

Bug Fixes

• deps: update dependency pino-http to v9 (#​1953) (5d95b73)

v13.0.0

Compare Source

Features

• v13 (#​1874) (948a1b7), closes #​1643
• Upgrade Octokit libraries to their latest major version

BREAKING CHANGES

• Drop support for NodeJS < 18
• replace node-fetch with the Fetch API
• default webhookPath is now /api/github/webhooks
• probot receive now only supports payloads in JSON format, previously also (unintionally) allowed JS.
• Probot now requires that payloads be passed as string to the .verify(), .verifyAndReceive() methods. Passing objects is no longer supported
• The middleware no longer accepts parsed payloads. You will have to pass it as a string

Note on Vercel deployments:

Set NODEJS_HELPERS environment variable to 0 in order to prevent Vercel from parsing the response body.
See Disable Helpers for detail.

---

Configuration

📅 Schedule: Branch creation - "after 12am every weekday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: invite/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: [email protected]
npm error Found: [email protected]
npm error node_modules/jest
npm error   dev jest@"30.1.1" from the root project
npm error
npm error Could not resolve dependency:
npm error peer jest@"^29.0.0" from [email protected]
npm error node_modules/ts-jest
npm error   dev ts-jest@"29.2.5" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/jest
npm error   peer jest@"^29.0.0" from [email protected]
npm error   node_modules/ts-jest
npm error     dev ts-jest@"29.2.5" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-08-28T19_01_07_264Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-08-28T19_01_07_264Z-debug-0.log