npmpackage.info

Gathering detailed insights and metrics for @octokit/webhooks-methods

@octokit/webhooks-methods

Methods to handle GitHub Webhook requests

5.1.0

MIT

TypeScript

65,052,329 7.6

Installations

npm install @octokit/webhooks-methods

Score

99.3

Supply Chain

99.5

Quality

85.7

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

4

Total

301

Closed

6

Merged

291

Issues

Open

2

Total

7

Closed

5

Releases

v5.1.0

Published on 04 Apr 2024

v5.0.0

Published on 23 Feb 2024

v5.0.0-beta.6

Published on 23 Feb 2024

v5.0.0-beta.5

Published on 23 Feb 2024

v5.0.0-beta.4

Published on 23 Feb 2024

v5.0.0-beta.3

Published on 23 Feb 2024

View all 16 releases

Contributors

View all 18 contributors

Developer

octokit

Developer Guide

BETA

Module System

ESM

Min. Node Version

>= 18

Typescript Support

No

Node Version

20.11.1

NPM Version

10.5.0 Statistics

23 Stars

313 Commits

9 Forks

4 Watching

4 Branches

18 Contributors

Updated on 05 Nov 2024

Languages

TypeScript (79.13%)

JavaScript (20.87%)

Total Downloads

Cumulative downloads

Total Downloads

65,052,329

Last day

-30.9%

155,139

Compared to previous day

Last week

1,125,122

Compared to previous week

Last month

2.6%

4,783,839

Compared to previous month

Last year

113.9%

38,659,079

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dev Dependencies

@octokit/tsconfig @types/jest @types/node esbuild glob jest prettier puppeteer semantic-release semantic-release-plugin-update-version-in-files ts-jest typescript

Versions

webhooks-methods.js

Methods to handle GitHub Webhook requests

Table of contents

usage
Methods
Contributing
License

usage

Browsers	🚧 `@octokit/webhooks-methods` is not meant to be used in browsers. The webhook secret is a sensitive credential that must not be exposed to users. Load `@octokit/webhooks-methods` directly from esm.sh `1<script type="module"> 2 import { 3 sign, 4 verify, 5 verifyWithFallback, 6 } from "https://esm.sh/@octokit/webhooks-methods"; 7</script>`
Node	Install with `npm install @octokit/core @octokit/webhooks-methods` `1import { sign, verify, verifyWithFallback } from "@octokit/webhooks-methods";`

Browsers

🚧 @octokit/webhooks-methods is not meant to be used in browsers. The webhook secret is a sensitive credential that must not be exposed to users.

Load @octokit/webhooks-methods directly from esm.sh

1<script type="module">
2  import {
3    sign,
4    verify,
5    verifyWithFallback,
6  } from "https://esm.sh/@octokit/webhooks-methods";
7</script>

Node

Install with npm install @octokit/core @octokit/webhooks-methods

1import { sign, verify, verifyWithFallback } from "@octokit/webhooks-methods";

1await sign("mysecret", eventPayloadString);
2// resolves with a string like "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3"
3
4await verify("mysecret", eventPayloadString, "sha256=486d27...");
5// resolves with true or false
6
7await verifyWithFallback("mysecret", eventPayloadString, "sha256=486d27...", ["oldsecret", ...]);
8// resolves with true or false

Methods

`sign()`

1await sign(secret, eventPayloadString);

`secret` (String)	Required. Secret as configured in GitHub Settings.
`eventPayloadString` (String)	Required. Webhook request payload as received from GitHub. If you have only access to an already parsed object, stringify it with `JSON.stringify(payload)`

Resolves with a signature string. Throws an error if an argument is missing.

`verify()`

1await verify(secret, eventPayloadString, signature);

`secret` (String)	Required. Secret as configured in GitHub Settings.
`eventPayloadString` (String)	Required. Webhook request payload as received from GitHub. If you have only access to an already parsed object, stringify it with `JSON.stringify(payload)`
`signature` (String)	Required. Signature string as calculated by `sign()`.

Resolves with true or false. Throws error if an argument is missing.

`verifyWithFallback()`

1await verifyWithFallback(
2  secret,
3  eventPayloadString,
4  signature,
5  additionalSecrets,
6);

`secret` (String)	Required. Secret as configured in GitHub Settings.
`eventPayloadString` (String)	Required. Webhook request payload as received from GitHub. If you have only access to an already parsed object, stringify it with `JSON.stringify(payload)`
`signature` (String)	Required. Signature string as calculated by `sign()`.
`additionalSecrets` (Array of String)	If given, each additional secret will be tried in turn.

This is a thin wrapper around verify() that is intended to ease callers' support for key rotation. Resolves with true or false. Throws error if a required argument is missing.

Contributing

See CONTRIBUTING.md

License

MIT

No vulnerabilities found.

10

Maintained

Determines if the project is "actively maintained".

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

10

SAST

Determines if the project uses static code analysis.

9

Security-Policy

Determines if the project has published a security policy.

9

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

6

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 6

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add_to_octokit_project.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/add_to_octokit_project.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/codeql-analysis.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/immediate-response.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/immediate-response.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/test.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/test.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/test.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/test.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/update-prettier.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/webhooks-methods.js/update-prettier.yml/main?enable=pin
Info: 7 out of 16 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 3 third-party GitHubAction dependencies pinned
Info: 6 out of 6 npmCommand dependencies pinned

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Fuzzing

Determines if the project uses fuzzing.

Score

7.6

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More