📦 Update bundle-size packages (major) #3095

renovate · 2025-08-28T19:00:15Z

This PR contains the following updates:

Package	Change	Age	Confidence
@octokit/core	`6.1.2` -> `7.0.3`
@octokit/plugin-rest-endpoint-methods	`13.2.6` -> `16.0.0`
@octokit/plugin-retry	`7.1.2` -> `8.0.1`
@octokit/request-error	`6.1.7` -> `7.0.0`
@octokit/types	`13.6.1` -> `14.1.0`
@octokit/webhooks	`13.3.0` -> `14.1.3`
@probot/octokit-plugin-config	`3.0.2` -> `4.0.0`
express (source)	`4.21.1` -> `5.1.0`
probot (source)	`13.3.8` -> `14.0.2`
smee-client	`2.0.3` -> `4.3.1`
vitest (source)	`2.1.9` -> `3.2.4`
vitest-mock-extended	`2.0.2` -> `3.1.0`

See all other Renovate PRs on the Dependency Dashboard

Release Notes

octokit/core.js (@octokit/core)

`v7.0.3`

Compare Source

Bug Fixes

add createLogger to ensure that pino does not break (#744) (0896c50)

`v7.0.2`

Compare Source

Bug Fixes

deps: update octokit monorepo (major) (#742) (629fa4e)

`v7.0.1`

Compare Source

Bug Fixes

deps: update dependency before-after-hook to v4 (#739) (2abf89e)

`v7.0.0`

Compare Source

Continuous Integration

stop testing against NodeJS v18 (#738) (78747bf)

BREAKING CHANGES

Drop support for NodeJS v18
build: set minimal node version in build script to v20
ci: stop testing against NodeJS v18

`v6.1.6`

Compare Source

Bug Fixes

add createLogger to ensure that pino does not break (#744) (78c6df8)

`v6.1.5`

Compare Source

Bug Fixes

deps: update dependency @octokit/types to v14 (#731) (3700c41)

`v6.1.4`

Compare Source

Bug Fixes

deps: bump Octokit dependencies vulnerable to ReDos (#723) (582d8bd)

`v6.1.3`

Compare Source

Bug Fixes

deps: bump Octokit dependencies to fix Deno compat (#715) (e2b21bb)

octokit/plugin-rest-endpoint-methods.js (@octokit/plugin-rest-endpoint-methods)

`v16.0.0`

Compare Source

Features

remove deprecated projects endpoints, remove deprecated copilot usage metric endpoints, add new billing.getGithubBillingUsageReportUser() and credentials.revoke() endpoint methods, private registry methods no longer in private beta, type update (#803) (4196f01)

BREAKING CHANGES

remove deprecated projects v1 endpoints
remove deprecated copilot usage metrics endpoints

`v15.0.0`

Compare Source

Continuous Integration

stop testing against NodeJS v18 (#801) (c016ce3)

BREAKING CHANGES

Drop support for NodeJS v18
build: set minimal node version in build script to v20
ci: stop testing against NodeJS v18

`v14.0.0`

Compare Source

Features

add new organization campaign endpoints, remove deprecated endpoints (#797) (4c8a166)

BREAKING CHANGES

remove deprecated copilot metrics endpoints
remove deprecated legacy projects endpoints

`v13.5.0`

Compare Source

Features

new /orgs/{org}/issue-types, /orgs/{org}/issue-types/{issue_type_id} enpoints (#792) (58d342e)

`v13.4.0`

Compare Source

Features

new /enterprises/{enterprise}/actions/hosted-runners, /orgs/{org}/actions/hosted-runners, /orgs/{org}/settings/network-configurations, /orgs/{org}/rulesets/{ruleset_id}/history,/repos/{owner}/{repo}/rulesets/{ruleset_id}/history endpoints (#791) (b3fe977)

`v13.3.1`

Compare Source

Bug Fixes

deps: bump @octokit/types - only changes to graphQL (#783) (519a1ab)

`v13.3.0`

Compare Source

Features

new action runner groups endpoints, new code scanning alerts autofix endpoints, new sub-issues endpoints, new private registries enpoints, new code security endpoints, various description updates (#777) (5e1ecd4)

octokit/plugin-retry.js (@octokit/plugin-retry)

`v8.0.1`

Compare Source

Bug Fixes

deps: update octokit monorepo to v7 (major) (#634) (f5fe899)

`v8.0.0`

Compare Source

Continuous Integration

stop testing against NodeJS v18 (#632) (2a3accb)

BREAKING CHANGES

Drop support for NodeJS v18
build: set minimal node version in build script to v20
ci: stop testing against NodeJS v18

`v7.2.1`

Compare Source

Bug Fixes

deps: update dependency @octokit/types to v14 (#626) (fa30232)

`v7.2.0`

Compare Source

Features

don't retry on HTTP 410 (#621) (40a8c8b)

`v7.1.4`

Compare Source

Bug Fixes

deps: bump @octokit/request-error from 6.1.6 to 6.1.7 [security] (#612) (62ae7c3)

`v7.1.3`

Compare Source

Bug Fixes

deps: bump octokit deps to fix Deno compat (#602) (b76ebd6)

octokit/request-error.js (@octokit/request-error)

`v7.0.0`

Compare Source

Continuous Integration

stop testing against NodeJS v18 (#512) (8eee0c1)

BREAKING CHANGES

Drop support for NodeJS v18
build: set minimal node version in build script to v20
ci: stop testing against NodeJS v18

`v6.1.8`

Compare Source

Bug Fixes

deps: update dependency @octokit/types to v14 (#505) (ab4ea7b)

octokit/types.ts (@octokit/types)

`v14.1.0`

Compare Source

Features

new GET /users/{username}/settings/billing/usage, POST /credentials/revoke endpoints, endpoint type updates, type performance fixes (#675) (a7ec830), closes #667 #666

`v14.0.0`

Compare Source

Features

new /orgs/{org}/campaigns and /orgs/{org}/campaigns/{campaign_number} enpoints, remove Copilot usage endpoints (#672) (42321eb)

BREAKING CHANGES

remove Copilot usage endpoints

`v13.10.0`

Compare Source

Features

new /orgs/{org}/issue-types, /orgs/{org}/issue-types/{issue_type_id} enpoints, add issue type to responses, description updates (#669) (302087f)

`v13.9.0`

Compare Source

Features

new /enterprises/{enterprise}/actions/hosted-runners, /orgs/{org}/actions/hosted-runners, /orgs/{org}/settings/network-configurations, /orgs/{org}/rulesets/{ruleset_id}/history,/repos/{owner}/{repo}/rulesets/{ruleset_id}/history endpoints (#668) (3ee44b3)

`v13.8.1`

Compare Source

Bug Fixes

deps: update dependency @octokit/openapi-types to v24 (#664) (94a68f9)

`v13.8.0`

Compare Source

Features

GraphQL: add type documentation for query and operationName (#662) (bb399b2)

`v13.7.0`

Compare Source

Features

new action runner groups endpoints, new code scanning alerts autofix endpoints, new sub-issues endpoints, new private registries enpoints, new code security endpoints, various description updates (#658) (b6db78e)

`v13.6.3`

Compare Source

Reverts

Revert "chore(deps): update dependency typedoc to ^0.27.0" (#660) (ef98ed6), closes #657

`v13.6.2`

Compare Source

Bug Fixes

remove @types/node from generated types (#656) (730a26d), closes /github.com/octokit/octokit.js/issues/2762#issuecomment-2486997620

octokit/webhooks.js (@octokit/webhooks)

`v14.1.3`

Compare Source

Bug Fixes

avoid Object.assign to avoid hiding potential type errors (#1166) (4c36fce)

`v14.1.2`

Compare Source

Bug Fixes

normalize trailing slashes (#1167) (ea2a89d)

`v14.1.1`

Compare Source

Bug Fixes

createLogger should not recreate the logger object if it already exists (#1162) (18f0be5)

`v14.1.0`

Compare Source

Features

add validate-event-name (#1161) (6965d70)

`v14.0.2`

Compare Source

Bug Fixes

types: add missing enterprise key (#1158) (4e83370)

`v14.0.1`

Compare Source

Bug Fixes

types: update webhook definitions from @octokit/openapi-webhooks v12 (#1156) (786caaf)

`v14.0.0`

Compare Source

Bug Fixes

deps: update octokit monorepo (major) (#1152) (1ec6af2), closes #1149

BREAKING CHANGES

deps: Drop support for NodeJS v18

`v13.9.1`

Compare Source

Bug Fixes

createLogger should not recreate the logger object if it already exists (#1162) (08bdfb5)

`v13.9.0`

Compare Source

Features

allow to specify timeout option in middleware, refactor middleware (#1148) (d5ffc92)

`v13.8.3`

Compare Source

Bug Fixes

use Uint8Array instead of Buffer (#1146) (07dc367)

Bug Fixes

remove unref call from web middleware timeout (#1140) (b23bff9), closes #1139

`v13.8.0`

Compare Source

Features

types: new issues.typed and issues.untyped and custom_property.promote_to_enterprise events (#1126) (fd515ec)

`v13.7.5`

Compare Source

Bug Fixes

types: payload type updates to include issue types and description updates (#1123) (15060bc)

`v13.7.4`

Compare Source

Bug Fixes

types: explicit return type from web middleware() (#1119) (7570dc0)

`v13.7.3`

Compare Source

Bug Fixes

add ./types entrypoint (#1114) (4a2d81a)

`v13.7.2`

Compare Source

Bug Fixes

build: replace the module property with the source property (#1102) (85ed3f3)

`v13.7.1`

Compare Source

Bug Fixes

types: mark type parameters as optional (#1101) (fead46f)

`v13.7.0`

Compare Source

Features

add new "web" middleware (#1078) (d0d5268)

`v13.6.1`

Compare Source

Bug Fixes

deps: update dependency @octokit/request-error to v6.1.7 [security] (#1109) (4073065)

`v13.6.0`

Compare Source

Features

add new secret_scanning_alert.publicly_leaked and secret_scanning_scan.completed events, type updates (#1104) (c8503c0)

`v13.5.1`

Compare Source

Bug Fixes

deps: bump @octokit/webhooks-methods (#1103) (03466b0), closes #1099

`v13.5.0`

Compare Source

Features

use verifyWithFallback to support secret rotation (#1080) (8a9682d)

`v13.4.3`

Compare Source

Bug Fixes

make verifyAndReceive accept a string name. (#1056) (c5d1a3c)

`v13.4.2`

Compare Source

Bug Fixes

deps: bump Octokit deps to fix Deno compat (#1090) (ffd5b28)

`v13.4.1`

Compare Source

Bug Fixes

types: correct some invalid types (#1074) (400aca9)

`v13.4.0`

Compare Source

Features

types: new projects_v2_status_update, sub_issues events (#1073) (555f42c)

probot/octokit-plugin-config (@probot/octokit-plugin-config)

`v4.0.0`

Compare Source

Bug Fixes

deps: update octokit monorepo (major) (#270) (ba7086e)

BREAKING CHANGES

deps: Drop support for Node 18 and 21

expressjs/express (express)

`v5.1.0`

Compare Source

========================

Add support for Uint8Array in res.send()
Add support for ETag option in res.sendFile()
Add support for multiple links with the same rel in res.links()
Add funding field to package.json
perf: use loop for acceptParams
refactor: prefix built-in node module imports
deps: remove setprototypeof
deps: remove safe-buffer
deps: remove utils-merge
deps: remove methods
deps: remove depd
deps: debug@^4.4.0
deps: body-parser@^2.2.0
deps: router@^2.2.0
deps: content-type@^1.0.5
deps: finalhandler@^2.1.0
deps: qs@^6.14.0
deps: [email protected]
deps: [email protected]

`v5.0.1`

Compare Source

==========

Update cookie semver lock to address CVE-2024-47764

`v5.0.0`

Compare Source

=========================

remove:
- path-is-absolute dependency - use path.isAbsolute instead
breaking:
- res.status() accepts only integers, and input must be greater than 99 and less than 1000
  - will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
  - will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
- deps: send@1.0.0
- res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
change:
- res.clearCookie will ignore user provided maxAge and expires options
deps: cookie-signature@^1.2.1
deps: debug@4.3.6
deps: merge-descriptors@^2.0.0
deps: serve-static@^2.1.0
deps: qs@6.13.0
deps: accepts@^2.0.0
deps: mime-types@^3.0.0
- application/javascript => text/javascript
deps: type-is@^2.0.0
deps: content-disposition@^1.0.0
deps: finalhandler@^2.0.0
deps: fresh@^2.0.0
deps: body-parser@^2.0.1
deps: send@^1.1.0

`v4.21.2`

Compare Source

What's Changed

Add funding field (v4) by @bjohansebas in https://github.com/expressjs/express/pull/6065
deps: [email protected] by @blakeembrey in https://github.com/expressjs/express/pull/5956
deps: bump [email protected] by @jonchurch in https://github.com/expressjs/express/pull/6209
Release: 4.21.2 by @UlisesGascon in https://github.com/expressjs/express/pull/6094

Full Changelog: expressjs/express@4.21.1...4.21.2

probot/probot (probot)

`v14.0.2`

Compare Source

Bug Fixes

deps: update @probot/octokit-plugin-config (6f2d021)

`v14.0.1`

Compare Source

Bug Fixes

add explicit undefined to optional types, and update webhooks types (#1979) (05179ff)

`v14.0.0`

Compare Source

feat!: v14 (#2152) (97c4057)

BREAKING CHANGES

Probot is now an ESM only library
drop Node > 20.17 and Node 21 support
Switch to GitHub's OpenAPI specification for Webhooks (from @octokit/webhooks v13)
Remove legacy REST enpoint method access. Users will now have to use the octokit.rest.* methods
Remove express server from within Probot.
All properties marked as private in Typescript, including Probot#state, are now private class fields.
createNodeMiddleware() is now an async function
@sentry/node needs to be installed separately if needed
ioredis needs to be installed separately if needed
The built-in server now listens on localhost by default instead of 0.0.0.0.

Probot v14 Migration Guide

ESM Only Package

Probot is now exclusively an ESM package. Either migrate to ESM (recommended), or use `require(esm).

Migrating to ESM:

Update package.json:

{
  "type": "module"
}

Replace all CommonJS require() statements with ESM import syntax
Update your TypeScript configuration:

{
  "compilerOptions": {
    "module": "node16",
    "moduleResolution": "node16"
  }
}

For require(esm):

For TypeScript 5.7-5.8: Use "module": "nodenext" and "moduleResolution": "nodenext"
For TypeScript 5.9+: Use "module": "node20" and "moduleResolution": "node20"

Node.js Version Requirements

Minimum supported version: Node.js 20.18+ and 22+
Node.js 21 support has been dropped

Webhook Type Definitions

Replace webhook type imports:

// Before
import { WebhookEvent } from "@&#8203;octokit/webhooks-types";

// After
import { WebhookEvent } from "@&#8203;octokit/openapi-webhooks-types-migration";

REST API Access Pattern

Legacy endpoint methods have been removed:

app.on("issues.opened", async (context) => {
  // Before
  // const issue = await context.octokit.issues.get(context.issue());

  // After
  const issue = await context.octokit.rest.issues.get(context.issue());
});

Express Server Removal

The built-in Express server has been removed. To use Express:

Install Express:

npm install express

Update your Probot setup:

import Express from "express";
import { createNodeMiddleware, createProbot } from "probot";

const express = Express();

const app = (probot) => {
  probot.on("push", async () => {
    probot.log.info("Push event received");
  });
};

const middleware = await createNodeMiddleware(app, {
  webhooksPath: "/api/github/webhooks",
  probot: createProbot({
    env: {
      APP_ID,
      PRIVATE_KEY,
      WEBHOOK_SECRET,
    },
  }),
});

express.use(middleware);
express.use(Express.json());
express.get("/custom-route", (req, res) => {
  res.json({ status: "ok" });
});

express.listen(3000, () => {
  console.log(`Server is running at http://localhost:3000`);
});

HTTP Server no longer listens on `0.0.0.0` by default

The built-in HTTP server will now listen on localhost by default, instead of listening on all available interfaces.
If you wish to change this behaviour, you can use the HOST environment variable, or the --host variable for the probot run command.

env HOST=0.0.0.0 <start script>
probot run --host=0.0.0.0 app.js

Asynchronous Middleware Initialization

createNodeMiddleware() is now asynchronous:

import { createNodeMiddleware } from "probot";
import app from "../app.js";

// Before
// const middleware = createNodeMiddleware(app);

// After
const middleware = await createNodeMiddleware(app);