fix(deps): bump Octokit dependencies to mitigate ReDos, devDependency modernization, bump prettier (#318)

* maint: modernize devDependencies

* chore(deps): update dependency prettier to v3.5.1

* fix(deps): bump Octokit dependencies to mitigate ReDos

---------

Co-authored-by: wolfy1339 <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

package-lock.json

@@ -12,7 +12,7 @@
     "lint": "prettier --check '{src,test,scripts}/**/*' README.md package.json",
     "lint:fix": "prettier --write '{src,test,scripts}/**/*' README.md package.json",
     "pretest": "npm run -s lint",
-    "test": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" npx jest --coverage"
+    "test": "vitest run --coverage"
   },
   "repository": "https://github.com/octokit/auth-oauth-user.js",
   "keywords": [
@@ -24,62 +24,27 @@
   "author": "Gregor Martynus (https://dev.to/gr2m)",
   "license": "MIT",
   "dependencies": {
-    "@octokit/auth-oauth-device": "^7.1.2",
-    "@octokit/oauth-methods": "^5.1.2",
-    "@octokit/request": "^9.1.4",
+    "@octokit/auth-oauth-device": "^7.1.3",
+    "@octokit/oauth-methods": "^5.1.3",
+    "@octokit/request": "^9.2.1",
     "@octokit/types": "^13.6.2",
     "universal-user-agent": "^7.0.0"
   },
   "devDependencies": {
     "@octokit/core": "^6.1.3",
     "@octokit/tsconfig": "^4.0.0",
-    "@types/jest": "^29.0.0",
     "@types/node": "^22.0.0",
+    "@vitest/coverage-v8": "^2.1.8",
     "esbuild": "^0.25.0",
-    "fetch-mock": "npm:@gr2m/fetch-mock@9.11.0-pull-request-644.1",
+    "fetch-mock": "^11.0.0",
     "glob": "^11.0.0",
-    "jest": "^29.0.0",
     "mockdate": "^3.0.4",
-    "prettier": "3.4.2",
+    "prettier": "3.5.1",
     "semantic-release-plugin-update-version-in-files": "^1.1.0",
-    "ts-jest": "^29.0.0",
-    "typescript": "^5.0.0"
-  },
-  "jest": {
-    "extensionsToTreatAsEsm": [
-      ".ts"
-    ],
-    "transform": {
-      "^.+\\.(ts|tsx)$": [
-        "ts-jest",
-        {
-          "tsconfig": "test/tsconfig.test.json",
-          "useESM": true
-        }
-      ]
-    },
-    "coverageThreshold": {
-      "global": {
-        "statements": 100,
-        "branches": 100,
-        "functions": 100,
-        "lines": 100
-      }
-    },
-    "moduleNameMapper": {
-      "^(.+)\\.jsx?$": "$1"
-    }
+    "typescript": "^5.0.0",
+    "vitest": "^2.1.8"
   },
   "release": {
-    "branches": [
-      "+([0-9]).x",
-      "main",
-      "next",
-      {
-        "name": "beta",
-        "prerelease": true
-      }
-    ],
     "plugins": [
       "@semantic-release/commit-analyzer",
       "@semantic-release/release-notes-generator",

package.json

@@ -117,7 +117,7 @@ export async function auth(
         | GitHubAppAuthentication
         | GitHubAppAuthenticationWithExpiration;
     } catch (error: any) {
-      // istanbul ignore else
+      /* v8 ignore next 5 */
       if (error.status === 404) {
         error.message = "[@octokit/auth-oauth-user] Token is invalid";
 
@@ -143,7 +143,7 @@ export async function auth(
         request: state.request,
       });
     } catch (error: any) {
-      // istanbul ignore if
+      /* v8 ignore next */
       if (error.status !== 404) throw error;
     }
 

src/auth.ts

@@ -1,6 +1,6 @@
-import * as OctokitTypes from "@octokit/types";
-import * as DeviceTypes from "@octokit/auth-oauth-device";
-import * as OAuthMethodsTypes from "@octokit/oauth-methods";
+import type * as OctokitTypes from "@octokit/types";
+import type * as DeviceTypes from "@octokit/auth-oauth-device";
+import type * as OAuthMethodsTypes from "@octokit/oauth-methods";
 
 export type ClientType = "oauth-app" | "github-app";
 

src/types.ts

@@ -1,11 +1,15 @@
+import { describe, expect, it, test } from "vitest";
 import { Octokit } from "@octokit/core";
-import fetchMock, { type MockMatcherFunction } from "fetch-mock";
+import fetchMock from "fetch-mock";
 
 import { createOAuthUserAuth } from "../src/index.js";
 
 describe("Octokit + OAuth web flow", () => {
   it("README example", async () => {
-    const matchCreateTokenRequest: MockMatcherFunction = (url, options) => {
+    const matchCreateTokenRequest: fetchMock.MockMatcherFunction = (
+      url,
+      options,
+    ) => {
       expect(url).toEqual("https://github.com/login/oauth/access_token");
       expect(options.headers).toEqual(
         expect.objectContaining({
@@ -17,7 +21,10 @@ describe("Octokit + OAuth web flow", () => {
       return true;
     };
 
-    const matchGetUserRequest: MockMatcherFunction = (url, options) => {
+    const matchGetUserRequest: fetchMock.MockMatcherFunction = (
+      url,
+      options,
+    ) => {
       expect(url).toEqual("https://api.github.com/user");
       expect(options.headers).toEqual(
         expect.objectContaining({
@@ -61,7 +68,10 @@ describe("Octokit + OAuth web flow", () => {
   });
 
   it("GitHub App auth", async () => {
-    const matchCreateTokenRequest: MockMatcherFunction = (url, options) => {
+    const matchCreateTokenRequest: fetchMock.MockMatcherFunction = (
+      url,
+      options,
+    ) => {
       expect(url).toEqual("https://github.com/login/oauth/access_token");
       expect(options.headers).toEqual(
         expect.objectContaining({
@@ -73,7 +83,10 @@ describe("Octokit + OAuth web flow", () => {
       return true;
     };
 
-    const matchGetUserRequest: MockMatcherFunction = (url, options) => {
+    const matchGetUserRequest: fetchMock.MockMatcherFunction = (
+      url,
+      options,
+    ) => {
       expect(url).toEqual("https://api.github.com/user");
       expect(options.headers).toEqual(
         expect.objectContaining({
@@ -119,7 +132,10 @@ describe("Octokit + OAuth web flow", () => {
 });
 
 test("Sets clientId/clientSecret as Basic auth for /authentication/{clientId}/* requests", async () => {
-  const matchCheckTokenRequest: MockMatcherFunction = (url, options) => {
+  const matchCheckTokenRequest: fetchMock.MockMatcherFunction = (
+    url,
+    options,
+  ) => {
     expect(url).toEqual(
       "https://api.github.com/applications/1234567890abcdef1234/token",
     );
@@ -166,7 +182,10 @@ test("Sets clientId/clientSecret as Basic auth for /authentication/{clientId}/*
 });
 
 test("Sets no auth for OAuth Web flow requests", async () => {
-  const matchCreateTokenRequest: MockMatcherFunction = (url, options) => {
+  const matchCreateTokenRequest: fetchMock.MockMatcherFunction = (
+    url,
+    options,
+  ) => {
     expect(url).toEqual("https://github.com/login/oauth/access_token");
     // @ts-ignore
     expect(options.headers.authorization).toBeUndefined();

test/octokit.test.ts

@@ -1,3 +1,4 @@
+import { describe, expect, it } from "vitest";
 import { createOAuthUserAuth, requiresBasicAuth } from "../src/index.js";
 
 describe("Smoke test", () => {

test/smoke.test.ts

@@ -1,7 +1,7 @@
+import { describe, expect, it, test, vi } from "vitest";
 import fetchMock from "fetch-mock";
 import MockDate from "mockdate";
 import { request } from "@octokit/request";
-import { jest } from "@jest/globals";
 
 import { createOAuthUserAuth } from "../src/index.js";
 
@@ -187,7 +187,7 @@ describe("OAuth device flow", () => {
           user_code: "usercode123",
           verification_uri: "https://github.com/login/device",
           expires_in: 900,
-          // use low number because jest.useFakeTimers() & jest.runAllTimers() didn't work for me
+          // use low number because vi.useFakeTimers() & vi.runAllTimers() didn't work for me
           interval: 0.005,
         },
         {
@@ -223,7 +223,7 @@ describe("OAuth device flow", () => {
         },
       );
 
-    const onVerification = jest.fn();
+    const onVerification = vi.fn();
     const auth = createOAuthUserAuth({
       clientId: "1234567890abcdef1234",
       clientSecret: "secret",

test/standalone.test.ts

@@ -0,0 +1,13 @@
+import { defineConfig } from "vite";
+
+export default defineConfig({
+  test: {
+    coverage: {
+      include: ["src/**/*.ts"],
+      reporter: ["html"],
+      thresholds: {
+        100: true,
+      },
+    },
+  },
+});