Bump @octokit/rest from 18.12.0 to 20.1.1

[dependabot[bot]]

Bumps @octokit/rest from 18.12.0 to 20.1.1.

Release notes

Sourced from @​octokit/rest's releases.

v20.1.1

20.1.1 (2024-05-03)

Bug Fixes

• update REST endpoints (#428) (7058346)

v20.1.0

20.1.0 (2024-04-03)

Features

• security: Add provenance (#420) (9adf1a4)

v20.0.2

20.0.2 (2023-09-25)

Bug Fixes

• deps: update octokit monorepo (major) (#363) (258bf80)

v20.0.1

20.0.1 (2023-07-11)

Bug Fixes

• deps: update dependency @​octokit/plugin-request-log to v4 (#322) (688f86a)

v20.0.0

20.0.0 (2023-07-11)

Features

• v20 (#305) (5429dfd)

BREAKING CHANGES

• Drop support for NodeJS v14, v16
• Remove previews support for the REST API
• remove agent option from octokit.request()

v20.0.0-beta.5

20.0.0-beta.5 (2023-07-10)

... (truncated)

Commits

• 7058346 fix: update REST endpoints (#428)
• b4e2102 ci(action): update actions/checkout digest to 0ad4b8f (#426)
• 9d99a65 ci(action): update actions/checkout digest to 1d96c77 (#425)
• c751cb5 ci(action): update actions/add-to-project action to v1.0.1 (#424)
• 792bb39 chore(deps): update dependency undici to v6.11.1 [security] (#421)
• 9adf1a4 feat(security): Add provenance (#420)
• 9ab9253 ci(action): update actions/add-to-project action to v1
• 335f2d2 ci(action): update actions/add-to-project action to v0.6.1 (#418)
• 8f0efe0 build(deps-dev): Bump follow-redirects from 1.15.4 to 1.15.6 (#416)
• 5bf5fa6 build(deps-dev): Bump follow-redirects from 1.15.4 to 1.15.6 in /docs (#415)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[ericcornelissen]

This upgrade would resolve the deprecation warning about punycode seen when using this tool:

(node:282386) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)

running with --trace-deprecation gives (for example):

(node:282619) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
    at node:punycode:3:9
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:399:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:338:10)
    at loadBuiltinModule (node:internal/modules/helpers:99:7)
    at Module._load (node:internal/modules/cjs/loader:1099:17)
    at TracingChannel.traceSync (node:diagnostics_channel:315:14)
    at wrapModuleLoad (node:internal/modules/cjs/loader:217:24)
    at Module.require (node:internal/modules/cjs/loader:1339:12)
    at require (node:internal/modules/helpers:126:16)
    at Object.<anonymous> (.../node_modules/whatwg-url/lib/url-state-machine.js:2:18)

checking where whatwg-url shows up I found:

$ npm ls whatwg-url
pin-github-action@1.9.1 .../pin-github-action
└─┬ @octokit/rest@18.12.0
  └─┬ @octokit/core@3.6.0
    └─┬ @octokit/request@5.6.3
      └─┬ node-fetch@2.6.7
        └── whatwg-url@5.0.0

and indeed, trying to run this project with this update makes the initial deprecation warning go away, seemingly as a result of dropping whatwg-url:

$ npm ls whatwg-url
pin-github-action@1.9.1 .../pin-github-action
└── (empty)

[mheap]

This isn't as easy as it appears sadly 😢

Octokit has moved to ESM modules away from CommonJS, which means some fairly involved work to update the rest of the project

[ericcornelissen]

I see :disappointed: A quick (and dirty?) solution could be to await import("@octokit/rest") inside the return Promise. It's already async so this shouldn't be a problem.

The following diff works for me when running the application:

-const { Octokit } = require("@octokit/rest");
-const github = new Octokit({
-  auth: process.env.GH_ADMIN_TOKEN,
-});
-
 let debug = () => {};
 module.exports = function (action, log) {
   debug = log.extend("find-ref-on-github");
   return new Promise(async function (resolve, reject) {
+    const { Octokit } = await import("@octokit/rest");
+    const github = new Octokit({
+      auth: process.env.GH_ADMIN_TOKEN,
+    });
+
     const owner = action.owner;

However, when running tests Jest complains that it needs --experimental-vm-modules which can be solved by running e.g. NODE_OPTIONS="--experimental-vm-modules" npm run test.

Alternatively, I'm also willing to look into porting the codebase to ESM, but that will take some more time.